Privacy notices

Who we are

Croydon’s Public Health service has a responsibility to protect and improve the health of our local population. It has a Public Health duty of care to the residents of Croydon, people receiving health and care services in Croydon and people who work or attend school in Croydon. Public Health teams within Local Authorities are also required to commission and manage services for their population.

To help with this, we use data and information from a range of sources including the Office for National Statistics, the Office for Health Improvements and Disparities, the UK Health Security Agency, the Department for Health and Social Care, NHS England, NHS England Digital, GP practices, the local Integrated Care System, pharmacies, hospitals and commissioned services to support our public health functions and understand more about the nature and causes of disease and ill health and the health and care needs in our local population. 

This information can contain Personal Data.
 

What information we collect

To fulfil its duties, the Public Health Team collects or holds collects a variety of data including:

• Details collected at the registration of a birth or death
• Hospital episode statistics
• Information on the provision of public health services. This includes;
  • Sexual and reproductive health services
  • Drug and alcohol treatment services
  • Stop smoking services
  • 0 to 5 health services
  • School nursing services
  • Immunisations
  • Health improvement services
  • Other public health initiatives
• Information about personal feelings, lifestyles and behaviours collected through population surveys
• Information regarding the prevalence of disease, including cancer registrations
• Information about health and social care use; including GP services, hospital services, pharmacy services, NHS community services, mental health services and social care services

Whilst much of this information is collected at a whole population level, some of the data provided is at an individual level.
Information that relates to an identifiable living individual who can be either identified from that data or identified from the information combined with any other information that is in the possession of or is likely to come into the possession of the person or organisation holding the information, is Personal Data.

Personal data

Personal data can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify you. Examples of personal data could be your name, address, telephone number, date of birth or financial information.
Some personal data is shared with us, often under specific data access agreements. Standard information that is used to identify you will be NHS Number, name, date of birth and postcode.

Special Category Data 

Some data is considered to Special Category Data and needs more protection due to its sensitivity. Often, it is information that is very personal to you. The types of data defined that this service are likely to process may way include:

• racial or ethnic origin
• sexuality or sexual health
• physical or mental health
   

How and why we use this information

How we collect it

This information is provided to the Public Health Team either directly from the public, or by national and local NHS organisations, NHS England Digital and local authority services and organisations. The information is shared with us in accordance with the principles outlined within the data protection legislation.

Why we collect it

The Health and Social Care Act 2012 gives local authorities the power to perform public health functions. This means that Croydon Council has “a duty to improve the health of the people and responsibility for commissioning appropriate public health services”.

Croydon Council collects and processes an amount of information that is necessary for us to deliver those responsibilities. Any personal data we hold is collected and processed in accordance with the requirements of the Data Protection Act 2018. 

How we use it

The Croydon Council Public Health Team will access demographic, health and related information to analyse the changing population of Croydon, the health needs and outcomes of the local population, monitor trends and patterns of disease and the associated risk factors.

Examples of what this analysis informs include:

• Statutory responsibilities such as the delivery and production of the Joint Strategic Needs Assessment (JSNA), the local Health and Wellbeing Strategy and the Director of Public Health Annual Report
• Informing commissioning and design and delivery of services
• Health equity analyses
• Clinical audits
• Identifying and tackling inequalities
• Identifying priorities for action
• Public health surveillance
• Evaluation of performance of the local health and care system
• Health protection and other partnership activities

No personal-identifiable information is published, and number and rates in published reports based on counts of fewer than five are removed to further protect confidentiality and anonymity.
 

The legal basis for this

The local authority has a legal status allowing the processing of Personal Confidential Data for certain public health purposes under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

The legal basis for the flow of data for the above purposes is set out in Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012).

In all cases the legal basis for the processing of this information is derived from the statutory functions listed and subsequently falls with the General Data Protection Regulations (GDPR) article conditions below:

• 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject
• 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• 9(2)(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
• 9(2)(i) processing is necessary for reasons of public interest in the area of public health
• 9(2)(j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
   

How we keep your information safe and secure

We are required to comply with the UKGDPR and the Data Protection Act 2018 to ensure information is managed securely and this is reviewed annually as part of our NHS Information Governance Toolkit assessment.

Information is strictly made available via secure transfer only to key professionals who have a clear and legal need to see it. All staff are required to undertake regular traininrate prg and comply with policies and procedures around Data Protection, information security, confidentiality and the safe handling of information. The data are used in such a way that personal identifiable details are removed as soon as possible in the process of analysis.

All data is stored securely will not be held longer than required based on the relevant retention policy.

Personal identifiable data will not be disclosed to anyone other than those processing the data for the above purposes without permission, unless we have a legal reason to do so, for example disclosure is necessary to protect a person from suffering significant harm or necessary for crime prevention or detection purposes. 

Requesting access to your Personal Data

Under the UK GDPR and the Data Protection Act 2018, you have the right to request access to information that we hold about them. To make a request for your personal information, please contact the Council’s Information Management Team at SAR@croydon.gov.uk.

Further information

The UKGDPR and Data Protection Act 2018 give you a number of rights to control what personal information is used by us and how it is used by us. Information about your individual data rights is listed in the Council’s Corporate Privacy Notice.
For advice about data protection issues, you can contact the Information Commissioner’s Office (ICO).

If you have any questions or concerns about the way we collect, store or use your personal information, please contact the Information Management team at information.management@croydon.gov.uk to exercise any of your rights under GDPR, or if you have a complaint about the information we have collected, how it used, who we share it with, why we share it and how long we will keep it for.

The Council’s Data Protection Officer can be contacted at dpo@croydon.gov.uk.

We reserve the right to amend this Privacy Notice at any time and will keep it under review. If we do make any changes, we will post the current version to our website at this address.

Last updated: February 2026