COVID-19 privacy notice
This privacy notice is an addendum to the council’s main privacy notice. It explains how we are collecting and using personal data as part of our response to the COVID-19 (coronavirus) pandemic.
- Who is responsible for your information?
- Purposes of processing
- Lawful basis for processing your personal data
- Relevant legislation
- Data sharing
- Further information
Who is responsible for your information?
Unless otherwise stated, Chesterfield Borough Council is the data controller for the personal information collected.
We may need to collect your personal information, or re-use information we already hold about you. This may include sensitive personal information, for example information about your health. This information will be used to prioritise our services and to support those most vulnerable. For some services, this information will also be used to inform risk assessments to ensure the health and safety of our staff and customers.
The council may also use your personal information in order to manage and better understand the spread and impact of the outbreak of COVID-19. This may include using or sharing your data for statistical or reporting purposes. Data will always be anonymised where possible.
We will ask you to provide your name and contact details for the COVID-19 test and trace service when you enter some of our premises or venues. Data will be shared with NHS test and trace if there is a local outbreak and they contact us to request it. If your contact details are shared with NHS test and trace, they may then contact you to provide appropriate advice regarding COVID-19. For further information, please see the privacy notice from the Department for Health and Social Care.
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS test and trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (for example, your name, date of birth and phone number). Where this is the case, this information will continue to be held after 21 days and we will use it as we usually would - please see the when you contact us privacy notice, or relevant service specific notice.
Depending on the circumstances and which premises you visit, our GDPR lawful basis for this processing is either that it is in the public interest, or that it is necessary to meet a legal obligation. Where processing is in the public interest, you have a right to object to the way your personal information is used. If you do not want your data to be shared with NHS test and trace, please raise this with a member of staff.
Test and trace support payments
If you apply to us for the Self-Isolation Payment, we will need to process some personal information about you in order to administer the service, validate your application and provide the payment. This will include:
- name and contact details
- employer’s name and address
- NHS notification number (the unique reference you will be given by the NHS test and trace Service to self-isolate)
- bank account details
- national insurance number
We will carry out checks with the NHS test and trace service and the Department for Work and Pensions (DWP), for verification purposes, Her Majesty’s Revenue and Customs (HMRC), for tax and National Insurance purposes, and potentially with your employer in validating your application.
Information relating to your application will also be sent to the Department for Health and Social Care (DHSC) to help understand public health implications, allow us to carry out anti-fraud checks and determine how well the scheme is performing.
We will provide information to HMRC in relation to any payments we make because Self-Isolation Payments are subject to tax and National Insurance contributions. If you are self-employed, you will need to declare the payment on your self-assessment tax return.
If you apply for a business support grant (including the Local Restrictions Support Grant, the Additional Restrictions Grant or the Restart Grant), we will need to collect information about the business and about the person applying. This will include:
- information about your business and any support already received
- name and contact details of the applicant
- name and contact details for the business
- business bank account details
- proof of the above
We will use the information you provide to carry out checks to verify your eligibility for the support grant, to administer the distribution of the funds and to contact you regarding your application and ongoing eligibility. The information you provide may be used for the prevention and detection of fraud and for other statutory purposes, including enforcement action.
Information will be shared with the Department for Business, Energy and Industrial Strategy (BEIS) for research and evaluation purposes. BEIS may contact you for research purposes regarding the grant, and may further share your data with other government departments, agencies and local authorities for debt recovery and fraud prevention purposes.
We also provide this service on behalf of Derbyshire Dales District Council (DDDC). If you are a customer of DDDC, your personal information will be processed as above, but records of your grant application will also be provided to DDDC. Please see the DDDC privacy notice for information about how DDDC will use your information.
Lawful basis for processing your personal data
How we are processing your personal data will determine the legal basis for processing. The legal bases for processing by the council as a public authority will be:
- Where disclosure is in the vital interests of yourself or another person (Article 6(1)(d) and 9(2)(c) GDPR)
- Where processing is necessary for a public task carried out in the public interest (Article 6(1)(e) and Article 9(2)(g) GDPR)
- Where it is necessary for compliance with a legal obligation (Article 6(1)(c) GDPR)
- Where it is in the interest of public health (Article 9(2)(i) GDPR)
Most of what we will do with your personal data will be covered by existing powers in current laws.
The Department of Health and Social Care has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require local authorities to process confidential patient information for purposes set out in that legislation.
Other relevant legislation includes:
- The Civil Contingencies Act 2004 and The Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005
- legislation directly related to the coronavirus pandemic
We may share your personal information with other public authorities, emergency services, and other stakeholders where we consider it necessary and proportionate, or where we are legally required to do so. This includes, but is not limited to:
- Derbyshire County Council and other local authorities
- Central government departments and related agencies:
- Department for Work and Pensions (DWP)
- Department for Health and Social Care (DHSC)
- Ministry for Housing, Communities and Local Government (MHCLG)
- Her Majesty’s Revenue and Customs (HMRC)
- Public Health England
-
Department for Business, Energy and Industrial Strategy (BEIS)
- Police
- NHS and healthcare organisations
- GP surgeries
- Community groups and volunteers where appropriate
Please get in touch if you would like more information about how the council processes your personal data: