Covid-19 response privacy notice - Privacy notices

What personal information do we collect?

When you contact us by phone, email or through the Council's website we may need to collect personal information about you or your family so that the appropriate support and services can be provided. We also require your contact details when you visit our premises for the purpose of test and trace. The information we require from you will include personal data and special categories of personal data, such as

  • Contact details - title, full name, address, email address, telephone number etc
  • Date of Birth / Age
  • Proof of identity - this will only be collected where required
  • Next of Kin details
  • NHS number or other identification numbers
  • Date of travel / last visit to high risk countries
  • Health details relating to your physical and/or mental health
  • Financial details for purposes of receiving and/or making payments
  • Housing information relating to your Council tenancy
  • Details regarding whether you hold a Drivers' Licence
  • Details regarding whether you have a current DBS
  • IP Address (if using our website) It will only be necessary to collect this type of information where it is of relevance to the support and services you require.

We use your personal data within the rules set under Data Protection law and we will only collect data that is absolutely necessary. The information we receive about you can be given to us directly by you, a family member or in some cases can be shared with us by another organisation due to the Council having a role in a service they are providing. This includes organisations such as national and local NHS bodies, the Office for National Statistics, NHS Digital, other local authorities and schools.

Why do we process personal data?

Processing your information is necessary under Article 6(1)(e) the performance of a task carried out in the public interest or in the exercise of our official authority. Specifically, under the Civil Contingencies Act 2004 we have a duty to assess, plan and advise in respect of an event or situation which threatens serious damage to human welfare. We process special category data under Article 9(2)(i) for reasons of public interest in the area of public health Specifically, if there is a significant threat to health of the public, for instance an outbreak of an infectious disease, the Council has the legal right to use identifiable data under: Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002. Therefore, we have a duty under the law to collect and process information in order to exercise our statutory public health functions, such as:

  • Manage risks to public health
  • Control of infection
  • Provide support and health protection
  • Preventing illness
  • Monitoring safety
  • Research and emergency planning
  • Analyse patterns and trends to help us create strategies and decision making
  • Future epidemiological analysis We process information for the purposes of test and trace under Article 6 (c) processing is necessary for compliance with a legal obligation to which the controller is subject.

We are mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of coronavirus.

Who has access to your personal data?

If we are required to, we will share your information with internal departments and other service providers, contractors and/or partner bodies, but only where it is necessary and as described above. These third parties include

  • Public Health England
  • NHS
  • GP practices
  • Other Local Authorities
  • Local Voluntary Partners
  • Emergency Services
  • Care providers
  • Contracted suppliers and volunteers who have been procured to provide support and services to our residents.

We will ensure that any personal data in our care will be kept safe and that where your information is disclosed to a third party, we will ensure they do the same via a contract or information sharing agreement. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our processors to use your personal data for their own purposes and only permit them to process your personal data for specified reasons and in accordance with our instructions and data protection laws. They are also obliged to implement appropriate technical and organisational measures to ensure the security of data. We will not use your personal data for third party marketing purposes without your prior express consent. The organisation will not transfer your data to countries outside the European Economic Area.

How do we protect personal data?
We take the security of your data seriously. The Council has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Data will only be processed by members of staff authorised by the Council as Data Controller for this purpose. Access to our systems is limited to employees whose job role requires access to the personal data.
How long do we keep your personal data?
We keep data for the minimum amount of time necessary. Some information has to be retained for legal reasons and information can be kept longer to understand decisions that have been made. Information held for the purposes of test and trace will be kept for 22 days.
Your rights

As a data subject, you have a number of rights, including access to your data. A request for access can be made via our website or by sending an email to foi@runnymede.gov.uk

Data Protection Subject Access Request(SAR) | Introduction – Runnymede Borough Council

To find out more about your rights please see the ‘Your Rights’ section of our main privacy statement

If you believe that Runnymede Borough Council has not complied with your data protection rights, you should initially try to resolve it with the relevant department.

If you are unable to resolve the issue to your satisfaction contact our Data Protection Officer (DPO) who will investigate. If you remain dissatisfied with the outcome of the DPO’s review you can make a complaint to the Information Commissioner. You can find out further information on making a complaint to the Information Commissioner on their website Information Commissioner's Office (ICO)