Privacy Notice and Data Protection

This privacy notice is to be read in conjunction with the full privacy notice.

How we use your information

The Public Health team at the London Borough of Sutton is responsible for protecting and improving the health of the population of Sutton. We provide information, advice and guidance on health and wellbeing, promote healthy living and monitor and publish intelligence about local health needs to help the Council, NHS and other partners plan services to meet the needs of the people of Sutton.

We use data and information from a range of sources, including the Office for National Statistics (ONS), Public Health England, NHS England, NHS Digital, local Clinical Commissioning Groups (CCGs), GPs and hospitals to understand more about the health and care needs in Sutton and to support our public health functions. This data also includes data collected at the registration of a birth or death.

Information Held by Public Health

The following data is received by the Local Authority from NHS Digital and is supplied to us under a Data Sharing Agreement (DSA) and in accordance with the legal basis below:

  • General Data Protection Regulation Article 6 (1) (e)
  • General Data Protection Regulation Article 9 (2) (h)
  • Health and Social Care Act 2012 - s261 (5) (d)

Primary Care Mortality Database (PCMD)

The PCMD holds mortality data as provided at the time of registration of the death along with additional GP details, geographical indexing and coroner details where applicable. For more information please visit

Births and Vital Statistics datasets

Births files include the date of birth, sex, birth weight, address, postcode, place of birth, stillbirth indicators and age of the mother.

Hospital Episode Statistics (HES) data

Information about hospital activity is supplied to local authorities by NHS Digital.  This contains data collected when someone is admitted to a hospital bed, attends as an inpatient, outpatient, or attends an urgent care centre.

The following data is received by the Local Authority from the Office for National Statistics (ONS) and is supplied to us under a Data Access Agreement for non-disclosive data and in accordance with the following legislation:

  • General Data Protection Regulation
  • Data Protection Act 2018
  • Statistics and Registration Service Act 2007
  • UK Statistics Authority Code of Practice for Statistics

3 Year Aggregated Middle Layer Super Output Area Conception Statistics

Conception data includes the number of conceptions to different age groups, conception rate and confidence intervals.

Commissioned Health Services

The Commissioning Unit commission providers to deliver sexual health and substance misuse services to residents on behalf of the Council. The provider will collect Personal Identifiable Data from patients to deliver individualised care. This data remains with the provider and is subject to the providers own Privacy Notice.

The provider may share anonymised data, which does not identify any individuals, with the Council for monitoring and quality purposes and to inform the planning and commissioning of health services.

How is the information used?

Data is received by the Local Authority for the purposes of statistical analysis, the monitoring of population health and demographic change in Sutton, and the planning and commissioning of health services.

Information is used specifically to identify patterns and trends in health and wellbeing, highlighting differences between areas and informing the planning and targeting of health, care and public health services. Information is used to ensure that services are designed to address local health needs and are focused on reducing health inequalities, with specific reference to life expectancy and mortality rates and for work on suicide prevention to identify specific hotspots and risk factors locally.

Data may be used in the production of Joint Strategic Needs Assessments, Annual Public Health Reports, Health and Wellbeing Strategies and local health profiles. Reports will only include anonymised and/or aggregated data and numbers and rates in published reports based on counts fewer than five are removed to further protect confidentiality and anonymity. All reports are published in compliance with the Office of National Statistics Disclosure Guidance.

Data provided by NHS Digital and the ONS will only be processed by Local Authority employees consistent with the fulfilment of their Public Health function. Data is held securely on Council servers and is only accessible to analytical staff within the Public Health team as agreed in the data-sharing agreement between the Council and relevant agency.

Will we need to share your information?

We use G Suite and Google Cloud Platform to provide our services. This means that your information may be electronically routed to servers outside of the European Economic Area. Google has achieved internally accepted independent security standards for Information Security Management, Cloud Security and Cloud Privacy and has certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. For more information, visit Google website.

Confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified so that the data is managed and used under the same restrictions. Anyone who receives information from the Public Health team is also under a legal duty to keep it confidential.

How long will we keep your information?

We will not keep information for longer than is necessary unless we have a legal obligation to hold the information beyond that time. Data received from NHS Digital and ONS will be kept for the length of time specified in the data-sharing agreement unless a legal obligation requires otherwise.

How can you see what personal information is held about you?

You can ask to see what personal information we hold about you. This is sometimes called a Subject Access Request. We will provide the information to you within one month (unless things are very complicated) and there is no cost for this. If you want to see the information we hold about you, please contact us using the contact details at the end of this notice. You do not have to give any reasons for why you want to see this information.

The National Data Opt-Out

The national data opt-out enables patients to set or update their choice regarding how their confidential patient information is used for purposes of planning and research, except for certain circumstances. The national data opt-out provides a secure and accessible way for patients to opt-out of their confidential patient information being used for purposes other than their individual care and treatment except for certain exemptions.

The national data opt-out is set up directly with the NHS and will apply across all health and care settings by 2020. NHS Digital will respect all opt-out choices from 25th May 2018. Once an individual registers a national data opt-out, their confidential patient information may not be used for the purposes of planning and research. A national data opt-out will not apply retrospectively, meaning it does not need to be applied to data that has already been processed. At the point a particular dataset has been used or released, all patients who opted out at that time will be removed.

Data received by the Local Authority from NHS Digital will already have had national data-opt out choices applied.

How to Contact Us

You can contact us on 020 8770 5000

Visit us at Sutton Central Library, St Nicholas Way, Sutton, SM1 1EA

Write to us at Public Health, Civic Offices, London Borough of Sutton, St Nicholas Way, Sutton, SM1 1EA

Data Protection Officer Contact Details

Please contact the London Borough of Sutton if you have any questions about our privacy policy or the information we hold by email or write to us at Data Protection Officer, London Borough of Sutton, Civic Offices, St Nicholas Way, Sutton, SM1 1EA.

If you would like to know more about your rights under the Data Protection Act, and what you should expect from the Council, the ICO (Information Commissioners Officer) can be contacted for further advice.