COVID-19 privacy statement

We keep this privacy notice under regular review and it was last updated on 5 May 2020.

Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice is supplemental to our corporate privacy statement, and will inform you as to how we will process, share and look after your personal data in response to and during the Covid-19 (coronavirus) pandemic.  This privacy notice will be kept under review as the pandemic develops.

Who we are

For information about who we are, please read our corporate privacy statement.

The personal information we collect and use

Information collected by us

In the course of responding to the COVID-19 (coronavirus) pandemic and providing you with the support you need, the personal information we will collect about you will include:

  • name
  • contact details e.g. phone number or email address
  • household composition
  • address
  • date of birth
  • age
  • NHS number
  • financial information

We will also collect ‘special category data’ (personal data which is more sensitive and is treated with extra care and protection) about you, including information about your health, care and support needs.

We will obtain personally identifiable data from other sources in order to identify people who are vulnerable to the coronavirus, or may require support as a result of the coronavirus. This includes personal information about individuals who do not meet our normal support criteria, but have had their normal support from family or friends reduced or interrupted.

We will obtain information from the Government Digital Service (this may include data from the NHS and other departments), and we will also obtain it from providers of care homes, nursing homes, and domiciliary care services. We will additionally receive information from district and borough councils, and voluntary organisations.

How we use your personal information

We will use your personal information to:

  • identify and record people who may be vulnerable to the coronavirus or otherwise require support during the pandemic
  • deliver the Vulnerable Patient Service (whereby we will receive information from the NHS’ Vulnerable Patient List in order to coordinate care provision for persons identified as vulnerable in relation to COVID-19, and in accordance with the online form submitted by the user, for food, medicine, medical, health and/or mental health support)
  • understand COVID-19 and risks to public health
  • understand information about patient access to health services and adult social care services and the availability and capacity of those services or that care
  • monitor and manage the response to COVID-19 by health and social care bodies and the government, including providing information to the public
  • for research and planning in relation to COVID-19

This list may change depending on the needs of the response efforts. However, any use of data will be proportionate and necessary for the delivery of those efforts.

Reasons we can collect and use your personal information

We rely on the following as the lawful bases on which we collect and use your personal data:

  • ‘Vital Interests’ (the processing is necessary to protect someone’s life), Article 6(1)(d)
  • ‘Public Task’ (the processing is necessary to perform a task in the public interest or for our official functions), Article 6(1)(e).  The legislation which underpins this lawful basis includes:
    • Care Act 2014
    • Children’s Act 1989
    • Health and Social Care Act 2012
    • Homelessness Reduction Act 2017
    • Localism Act 2011
    • Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002

Additionally, for the collection and use of special category data during the pandemic, we rely on the following legal bases:

  • It is necessary for the purposes of carrying out obligations in the field of social protection law, Article 9(2)(b) GDPR (along with the accompanying condition in the Data Protection Act 2018 as set out in Schedule 1, condition 1).
  • It is necessary for reasons of substantial public interest, Article 9(2)(g) GDPR (along with the accompanying condition in Schedule 1 of the Data Protection Act, i.e. for statutory and government purposes, or for the safeguarding of children and individuals at risk).
  • It is necessary for reasons of public interest in the area of public health, Article 9(2)(i) GDPR. (along with the accompanying condition in the Data Protection Act 2018 as set out in Schedule 1, condition 3).
  • It is necessary for the provision of health and social care, Article 9(2)(h) GDPR (along with the accompanying condition in the Data Protection Act 2018 as set out in Schedule 1, condition 2.
  • It is necessary for the protection of vital interests, Article 9(2)(c) GDPR.

How long your personal data is kept

Some of the information being used will already be held by us and will be kept in line with our retention schedules.

However, we will be collecting new information as a result of the response to the pandemic.  We will not keep this information for any longer than necessary. We do not yet know how long the pandemic will continue for, so the requirement to keep this information will be kept under review.

Who we share your personal information with

We are working with partners and organisations locally and nationally to make sure we deliver a co-ordinated and good service to you. We will share personal information where it is necessary and proportionate in responding to the pandemic and providing you with care and support. We will, where applicable, share your personal information, including health information, with the following:

  • community hubs
  • the NHS
  • local NHS Trusts
  • GPs and hospitals
  • district and borough councils
  • health and care providers
  • voluntary organisations and any other providers where we feel they can help meet your service needs

This is not an exhaustive list and may change as the situation with the pandemic does. Please also refer to the main corporate privacy statement for further examples of third parties who we may need to share your information with, if appropriate and necessary.

Your rights

Under GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioner's Office
  • withdraw consent at any time (if applicable).

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to you or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways.

We will always seek to comply with your request, however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under GDPR.

If you would like to exercise a right, please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Contact

For information on who to contact if you wish to exercise any of your rights or have a complaint about how your personal data has been used, please refer to the corporate privacy statement.

The council is identifying alternative ways of delivering its services during the pandemic, for example, replacing face-to-face visits with telephone or video-conferencing. You will be provided with a more specific privacy notice by those services, where relevant. You can also refer to other service specific privacy notices via our corporate privacy statement.