Public Health

To comply with the UK General Data Protection Regulation (UK GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.

Contact details of this Lancashire County Council service

Note that for queries intended for this specific service, do not contact the Data Protection Officer (DPO) mailbox, instead please direct your query to the following point of contact:

PHAdmin@lancashire.gov.uk

Reasons for processing your personal data

The Public Health Team within Lancashire County Council is responsible for improving and protecting the health and wellbeing of the local population. This includes both statutory (mandated) and non-statutory functions, as defined by national legislation and local priorities.

Core functions

  1. Health Improvement and Promotion
    • Designing and delivering programmes to encourage healthy lifestyles, including physical activity, healthy eating, smoking cessation, and responsible alcohol use.
    • Supporting mental health and wellbeing initiatives.
  2. Health Protection
    • Monitoring and responding to infectious disease outbreaks.
    • Collaborating with partners to manage environmental health risks and seasonal health threats.
  3. Commissioning Public Health Services
    • Procuring and overseeing services such as:
      • Sexual health services
      • Substance misuse treatment and prevention
      • NHS Health Checks
      • Services for children aged 0–5 and 5–19 years
      • Stop smoking services
  4. Statutory Responsibilities
    • Delivering mandated services under the Health and Social Care Act 2012, including:
      • National Child Measurement Programme
      • Open-access sexual health services
      • Public health advice to NHS commissioners
  5. Data and Intelligence
    • Collecting and analysing health data to inform service planning and delivery.
    • Conducting Joint Strategic Needs Assessments (JSNAs) and contributing to the Health and Wellbeing Strategy.
  6. Partnership Working
    • Collaborating with NHS organisations, District councils, voluntary sector, education, housing, and other council departments to address the wider determinants of health and wider public health issues.
    • Supporting Health and Wellbeing Boards and community safety initiatives.
  7. Public Engagement and Consultation
    • Engaging with residents to understand health needs and preferences.
    • Consulting on public health strategies and service changes.

Legal basis for processing personal data

The legal basis for processing your personal data, in accordance with the UK GDPR Article 6 is:

(e) Public Task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law. We will cite the applicable task/function and its' basis in law if we wish to rely on this basis for processing.

This basis applies because our public health team operates under statutory duties and powers conferred by legislation such as the Health and Social Care Act 2012, which mandates councils to improve and protect public health. Their activities—such as disease surveillance, health promotion, and service commissioning—are considered tasks in the public interest or exercises of official authority.

Legal basis for processing special categories of personal data

The legal basis for processing special categories of personal data relating to you, in accordance with the UK GDPR Article 9 is:

(g) Processing is necessary for reasons of substantial public interest.

This may apply where public health teams process data to fulfil statutory duties, such as safeguarding, reducing health inequalities, or supporting vulnerable populations.

(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

This basis is commonly used when public health teams are involved in commissioning or managing health services, conducting health assessments, or supporting care pathways. It must be supported by domestic law and appropriate safeguards.

(i) Processing is necessary for reasons of public interest in public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

This basis is particularly relevant for activities such as disease surveillance, outbreak response, vaccination programmes, and other public health protection measures.

Legal basis for processing criminal offence data

Where we process data relating to criminal convictions or offences, we do so in accordance with Article 10 of the UK GDPR and the Data Protection Act 2018, Schedule 1. This processing is carried out under the control of official authority and is necessary for statutory public health functions, safeguarding, or other lawful purposes.

Information we process about you

Categories of Personal Data We Process

To carry out our statutory public health duties and deliver services that protect and improve the health of our residents, the Public Health Team may process the following categories of personal data:

Personal Data

This includes information that can identify you directly or indirectly:

  • Full name
  • Date of birth
  • Address and postcode
  • Contact details (e.g. telephone number, email address)
  • NHS number
  • Gender
  • Ethnicity
  • Employment or education status

Special Category Data

We may process sensitive personal data that requires additional protection, such as:

  • Physical and mental health information
  • Sexual health data
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Genetic and biometric data (where used for identification)
  • Sexual orientation
  • Data relating to health and social care service use

Criminal Convictions and Offences Data

In limited circumstances, we may process data relating to criminal convictions or offences, particularly where necessary for safeguarding or public protection purposes. This is done in accordance with Article 10 of the UK GDPR and the Data Protection Act 2018.

Pseudonymised Data

We may use data that has been de-identified using artificial identifiers to reduce the risk of identification while still allowing analysis and service planning.

Anonymised and Aggregated Data

We also use data that has been fully anonymised and grouped for statistical or analytical purposes. This data cannot be used to identify individuals.

Geographical and Demographic Data

To assess health needs and inequalities, we may process:

  • Postcodes
  • Area-level deprivation indices
  • Age bands and population groups

Service Use and Health Behaviour Data

We may collect and analyse data from surveys, service providers, and national programmes, including:

  • Medical records (e.g. diagnoses, immunisation records, etc)
  • Lifestyle behaviours (e.g. smoking, alcohol use, physical activity)
  • Disease prevalence and incidence (e.g. diabetes, cancer)
  • Use of GP, hospital, mental health, and social care services

Recipients of the personal data that we process about you

To fulfil our statutory public health duties and deliver services that protect and improve the health of our residents, the Public Health Team may share personal data with the following organisations and partners, where necessary and lawful:

NHS Organisations

  • NHS England and NHS Digital
  • Integrated Care Boards (ICBs)
  • General Practices (GPs)
  • Hospitals and other NHS Trusts
  • Community and mental health services

Local Authority Departments

  • Adult Social Care
  • Children's Services
  • Education and Early Years teams
  • Community Safety and Housing teams

Government Departments and Agencies

  • Office for Health Improvement and Disparities (OHID)
  • UK Health Security Agency (UKHSA)
  • Department of Health and Social Care (DHSC)

Commissioned Service Providers

  • Organisations commissioned by the council to deliver public health services (e.g. sexual health, substance misuse, school nursing, health visiting)
  • Voluntary and community sector organisations

Academic and Research Institutions

  • Universities and research bodies conducting public health studies or evaluations, under strict data sharing agreements and ethical approvals

Other Local Authorities

  • Where joint working arrangements or shared services exist, or where individuals move between council areas

Regulatory and Safeguarding Bodies

  • Care Quality Commission (CQC)
  • Multi-agency safeguarding partnerships
  • Police and probation services (in safeguarding or public protection contexts)

Data Processors

  • External organisations contracted to process data on behalf of the council, under strict contractual and data protection controls

Any transfers to another country

  • No

Retention periods

Lancashire County Council will only store your information for as long as is legally required or in situations where there is no legal retention period they will follow established best practice.

File type Description Security Retention period

Health Needs/Impact Assessments

Data used to assess population health and risk, plus to inform service planning

Stored securely, in some cases, on encrypted systems

10 years from creation or last use

Service User Records

Data from commissioned services (e.g. sexual health, substance misuse)

Access restricted to authorised personnel

8 years after the last contact or service closure

Surveillance, Outbreak and Cluster Analysis data – patient identifiable

Data collected for outbreak management, disease monitoring, environmental risk, etc.

Both raw and aggregated data; secure storage – short, medium and long-term conditions

Access restricted to authorised personnel

6 years for short-term conditions

20 years for medium-term conditions

100 years for long-term conditions

May be used for Public Inquiry

8 years or longer if used as national surveillance

Epidemiological reports

Intelligence reports shared between partners, e.g. UKHSA, ICB to support incident management.

Both raw and aggregated data; secure storage – short, medium and long-term conditions

Encrypted file transfer

6 years for short-term conditions

20 years for medium-term conditions

100 years for long-term conditions

May be used for Public Inquiry

8 years or longer if used as national surveillance

Child Measurement Programme

Data collected under statutory duties for child health monitoring

Secure systems with role-based access

Until the child reaches age 25

NHS Health Check Data

Data collected for adult health screening programmes

Encrypted storage: access controlled

6 years after last check

Consultation Responses

Data from public engagement and surveys

Anonymised where possible; securely stored

2 years after consultation closes

Commissioning and Contract Data

Data relating to public health service contracts and performance

Secure council systems; limited access

6 years after the contract end

Safeguarding Records

Data used in safeguarding or public protection contexts

High-level access controls; secure storage

75 years or until subject’s death

Research and Evaluation Data

Data used for public health research or service evaluation

Pseudonymised/anonymised; ethical safeguards

10 years or as defined by research protocol

Individual Alerts and Contacts

Records of direct contact with individuals at risk or reporting concerns

Encrypted; access-controlled; audit trail maintained

Non-encrypted: stored on council secure systems

8 years from date of contact (or until resolution + 6 years)

Risk Stratification Outputs

Lists of high-risk individuals for targeted interventions

Various - individual-level and aggregated data; Encrypted; pseudonymised where possible.

Secure servers; restricted access

8 years from date of intervention (aligned with health records retention)

Screening and Immunisation data

Place-based health inequalities

Coverage and uptake rates

Raw and aggregated data; secure storage

NHS-compliant secure platforms

10 years (as per NHS guidance)

Aggregated Public Dashboards

Anonymised data used for public reporting and awareness

Public-facing; anonymised and aggregated

NHS-compliant secure platforms (in some cases), otherwise secure storage

Retain as long as relevant; archive after 5 years

General Correspondence

Emails and letters relating to public health enquiries or operations

Secure email systems: retention policy applied

2 years unless part of a formal record

Health Awareness Campaign Logs

Records of outreach activities, engagement, and behavioural interventions

Distribution lists personal contact details – consent given from none LCC

Secure internal systems; raw (consent given) or aggregated data

6 years (standard for public health campaigns)

Your rights

You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are those rights:

  • to be informed via Privacy Notices such as this.
  • to withdraw your consent. If we are relying on your consent to process your data, then you can remove this at any point.
  • of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this, we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.
  • of rectification, we must correct inaccurate or incomplete data within one month.
  • to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
  • to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
  • to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
  • to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
  • in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you want to exercise any of these rights, then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.

Identity and contact details of the data controller

  • Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Contact details of the data protection officer

  • Our Data Protection Officer is Joanne Winston. You can contact her at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Further information

For more information about how we use personal information see Lancashire County Council's full privacy notice.

If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).