Coronavirus - Privacy notice
Who we are and what we do
This privacy notice explains how West Oxfordshire District Council (as a Data Controller) will collect, use and protect personal data specifically with regard to Covid-19 (Coronavirus) Pandemic.
You may have provided information for a specific reason normally the Council would seek to inform you that the data provided would be being used for a different purpose. Due to the rapidly emerging situation regarding the current pandemic this will not always be possible. If we already hold information regarding vulnerability as defined in the current guidance from the Government and Public Health England, we may share this for emergency planning purposes or to protect your vital interests by sharing with services both inside and outside the Council.
We may in this current crisis need to ask you for personal information including sensitive personal information for example your age or if you have any underlying illnesses or are vulnerable, that you have not already supplied. This is so the Council can assist and prioritise its services.
Any questions regarding our privacy practices should be sent to:
Data Protection Officer (DPO)
West Oxfordshire District Council
Tel: 01993 861194
Your personal data
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.
Some of your personal data is classed as 'special categories of personal data' because it is the information that is considered to be more sensitive and therefore requires more protection.
Our lawful basis for processing your information
How we are processing your personal data will determine the legal basis for processing. The legal bases for processing by the council as a public authority will be:
- Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
- Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
- Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Section 8(c) of the Data Protection Act sets out that such a task must be necessary for the performance of a function conferred on a person by an enactment or rule of law.
- The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met. These further relevant conditions are below:
- Article 9(2)(i) – is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
- Schedule 1, Part 1(1) – is necessary for the performance or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, e.g. Health and Safety at Work Act 1974.
- Schedule 1, Part 1(3) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, e.g. Governmental guidance published by Public Health England
If there is a significant threat to health of the public, for instance an outbreak of an infectious disease, the Council has the legal right to use identifiable data under:
Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.
Our lawful basis under GDPR when you register to volunteer are:
- explicit consent – Article 6(1)(a) and 9(2)(a)
Who your information may be shared with (internally and externally)
We will only share your information where necessary with partner organisations as part of the COVID-19 response. We may be required by law to share your information in order to safeguard public safety or in emergency situations.
The Council participates with Government, district and city councils, health agencies and partner organisations in delivering national and local Covid-19 measures.
- Local Contact Tracing to support the national Test and Trace programme requires data sharing with PHE, NHS, local councils and universities.
- Shielding vulnerable persons requires data sharing with Government, local councils and partner voluntary organisations
- Priority food provision requires data sharing with Defra and local councils
How long we keep your information (retention period)
We will only keep your information for the minimum period necessary. The information outlined in this privacy notice will be kept for the duration of the COVID 19 response.
All information will be held securely and destroyed under confidential conditions 12 months after the end of the COVID 19 has officially ended.
How we protect your Information
We have implemented generally accepted standards of technology and operational security in order to protect personal data from loss, misuse, or unauthorised alteration or destruction.
Please note however that where you are transmitting information to us over the internet this can never be guaranteed to be 100% secure.
You have rights under the Data Protection Legislations:
- To access your personal data
- To be provided with information about how your personal data is processed
- To have your personal data corrected
- To have your personal data erased in certain circumstances
- To object to or restrict how your personal data is processed
- To have your personal data transferred to yourself or to another business in certain circumstances
- To be told if we have made a mistake whilst processing your data and we will self-report breaches to the Commissioner.
How you can access, update or correct your information
The Data Protection Legislation allows you to find out what information is held about you, on paper and computer records. This is known as ‘right of subject access’ and applies to your data along with all other personal records.
If you wish to see a copy of your records you should contact the Data Protection Officer. You are entitled to receive a copy of our records free of charge, within a month.
The accuracy of your information is important to us to be able to provide relevant services more quickly. We are working to make our record keeping more efficient. In the meantime, if you change your address or email address, or if any of your circumstances change or any of the other information we hold is inaccurate or out of date please email us or write to us at:
West Oxfordshire District Council
You can also complain to the Information Commissioner: https://ico.org.uk