Public Health (Health Protection Team – COVID-19 data) privacy notice

Who is the data controller for the information we collect

This Privacy Notice is provided to meet the requirements of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) to explain how we process your personal data in delivering Public Health (Health Protection Team – COVID-19 data) project. 

Leeds City Council is the data controller for the purposes of the Data Protection Act 2018 and other regulations including the UK General Data Protection Regulation, which means it determines what your data is used for and why it is collected. Our contact details are Leeds City Council, Merrion House, 110 Merrion Way, Leeds, LS2 8BB.

The data we will collect

We collect the following information about you: 

  • first language
  • age
  • gender at birth
  • registered GP practice

We also collect Special Category data about you, such as:

  • personal data revealing racial or ethnic origin
  • data concerning health
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
  • disability status

How do we collect information about you 

The Health Protection team, Leeds City Council, receive anonymised data on COVID-19 and other infectious diseases from a variety of sources including schools, care homes, workplaces, and the Government (see below for full details).

Why we process your data 

The purpose of receiving and using this data is for surveillance, monitoring and reporting of COVID-19 and infectious diseases, to support with proactive outbreak management and the notifying local health protection system. Whilst the Council will always attempt to ensure that personal data received is anonymized, however, in some cases this will not be possible (for example, due to the size of a business being sufficiently small to enable individuals identified).

Lawful basis for processing

We will process your data in accordance with UK GDPR Article 6(1) as follows:

This includes but is not limited to the following set out within the UK GDPR:

  • Article 6(1)(a) – the data subject has given consent 
  • Article 6(1)(b) – processing is necessary for the performance of a contract
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation
  • Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 

For the processing of “special category data” such as someone’s physical and mental health: 

  • Article 9(2)(g) of the UK GDPR Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The processing of special category under Article 9 also requires the following conditions for processing from the UK Data Protection Act 2018 to be met: 

  • Schedule 1, Part 2 section 6(a), processing is met under the exercise of a function conferred on a person by an enactment 
  • Schedule 1, Part 1 section 2(1), this condition is met if the processing is necessary for health and social care purposes

These Schedule 1 conditions require an Appropriate Policy Document to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. Our Appropriate Policy document provides further information about this processing.

Data retention, storage and destruction

Our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention. This means that your information will be kept for the duration of the Data Sharing Agreement with NHS England (expiry date 31st May 2027). This Agreement may be replaced with a new Data Sharing Agreement.

Who can we share your data with

The Health Protection team receive anonymised data on COVID-19 and other infectious diseases from:

  • schools internally via the schools team/DCS 
  • early years settings via the council’s Early Years Alert team 
  • care homes via Infection Prevention Control Leeds Community Healthcare team (NHS)
  • workplaces internally via environmental health 
  • food safety alerts via Environmental Health and Infection Prevention Control Leeds Community Healthcare team (NHS)
  • the UK Health Security Agency – who have direct contact with settings but also share a Common Exposures Report with us, with data from NHS Test and Trace for settings of all kinds 
  • universities (directly) 
  • university private accommodation (directly)

This data is uploaded onto an IT system provided by our data processor Aire Logic.

Automated decision making

Your data will not be used for any automated decision making, including profiling.

Your rights 

The following rights under data protection law are available under the UK GDPR:

  • the right to access – you can ask for copies of your personal data
  • the right to rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data
  • the right to erasure - where you can ask us to erase your personal data
  • the right to restrict processing – you can ask us to restrict the processing of your personal data
  • the right to data portability (where you can ask that we transfer your personal data to another organisation or to you)
  • the right to object to processing (where you can object to the processing of your personal data)
  • the right to complain to a supervisory authority – you can complain about our processing of your personal data
  • the right to withdraw consent (to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent

All data rights apply where we process your information based on your consent.

Where we process your information under legal obligation certain rights to do not apply, such as erasure, data portability, objection to processing and the right to withdraw consent.

Where we process your data under the public task basis, certain rights to do not apply, such as erasure, data portability and the right to withdraw consent.

Where we process your data under the performance of a contract basis, the following data rights do not apply - the right to object to processing. You can object to the processing of your personal data by withdrawing your consent.

These rights are subject to certain limitations and exceptions. You can learn more about your rights through the ‘Your individual rights and how to exercise them’, and the Information Commissioner’s Office website. You may exercise any of the above rights in relation to your personal data by writing to us, using the contact details provided below.

When your data gets sent to other countries

The information you provide will not be transferred to another country outside of the UK.

Contact us 

Any queries in relation to this Privacy Notice should be forwarded to:

Email: PHI.Requests@leeds.gov.uk 

By post:
The Public Health Intelligence Team
Adults and Health Directorate
NHS Leeds CCG
Suites 2-4, Wira House
West Park Ring Road
Leeds, LS16 6EB

Data Protection Officer

Aaron Linden
Head of Information Management and Governance - Data Protection Officer
Leeds City Council
Merrion House
110 Merrion Way
Leeds
LS2 8BB

Email: DPO@leeds.gov.uk 

The council privacy notice is available to view online.

Complaints

If you are unhappy with the way in which your information has been handled, you should speak with the specific service in the first instance.

Any data protection complaints about how the council has processed your personal data, will be handled in accordance with the council’s complaints Policy. You can find out how to submit a complaint by visiting this link.

If we cannot resolve your complaint, you can refer to the Information Commissioner if you consider that there has been an infringement of data protection legislation. Further details can be found on the Information Commissioner’s website.

Changes to this notice

We keep our privacy notice under regular review. We will notify you of significant changes to this notice by email or other means as appropriate. This privacy notice was last updated March 2025.