Skip to main content
Dudley Council
Dudley Skyline

Coronavirus (Covid-19) Privacy Notice

This privacy notice is to explain and provide you with information on how we collect and hold information about you in relation to the unprecedented challenges we face as a result of the Coronavirus pandemic (COVID-19).

View the council’s Corporate Privacy Notice.

This contains more information on how we collect, use and protect personal data generally, as well as your rights as a data subject.

What information do we collect and how will we use it?

In order to best respond and help coordinate the community response for COVID-19 it is necessary to collect details about you including your name, address, telephone number and email address.

We may also ask you for sensitive personal data that you have not already supplied, for example, your age or if you have any underlying illnesses or are vulnerable. This is so we can assist you and prioritise our services. We will collect:

  • Name;
  • Contact information (home address, telephone number, email address);
  • NHS number;
  • Your District (to coordinate with the relevant District Council);
  • Health and social care data, including ‘confidential patient information’;
  • Information relevant to your needs during the outbreak or your support needs if you are a carer;
  • Information about what support you can provide to others.

We may also ask you for information to help us identify and understand about those suffering with, or at risk of suffering with, COVID-19; information about incidents of exposure to COVID-19 and the management of outbreaks of or the risk of COVID-19 including locating, contacting, screening, flagging and monitoring such incidents and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19.

Whilst we may already hold data about you, you may have provided this information for a specific reason and normally we would seek to inform you that the data provided would be being used for a different reason, however, due to the rapidly emerging situation regarding the current pandemic this will not always be possible.

An example of this is where you have provided us with your email address. At this time, it is in the council’s and the public’s legitimate interest to keep you informed of matters. As a consequence, your email address will be used to keep you informed of specific matters including, but not limited to, relating to covid-19 interventions and impacts, availability and delivery of council run services or those offered by or working in partnership with the council.

Additionally, at this time, we may seek to collect and process information from you, which is above and beyond what would ordinarily be collected. This is necessary to ensure your safety and well-being, however we will ensure that this will be limited to what is proportionate and necessary for us, in accordance with Government guidance, to manage and contain the virus and enable us to effectively keep people safe, put contingency plans into place to safeguard those who are vulnerable and to aid business continuity. We aim to:

  • understand Covid-19 and the risks to public health, trends in Covid-19 and such risks, and controlling and preventing the spread of Covid-19 and such risks;
  • identify and understand information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to self-isolation, fitness to work, social interventions and recovery from Covid-19;
  • understand information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care;
  • monitor and manage the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, equipment, supplies, services and the workforce within the health services and adult social care services;
  • deliver services to service users, vulnerable individuals, patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19, including the provision of information and the provision of health care and adult social care services;
  • research and plan in relation to Covid-19; and
  • help understand the response to an emergency and build lessons learnt.

We will also use your data to better understand the services we provide and to help us build those services for the future. We may also use your data to identify if our services are fulfilling our legal obligations.

What is the lawful basis for processing personal data?

The Department of Health and Social Care has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require Dudley Council to process confidential patient information for purposes set out in Regulation 3(1) COPI. The council will collect and use your personal information in order to manage and mitigate the spread and impact of the current outbreak of Covid-19:

  • for the purposes of research,
  • to protect public health,
  • to provide public health and social care services to the public, and
  • to monitor and manage the Covid-19 outbreak and incidents of exposure.

NHS Digital have further advised that from 1st January 2022 the Agreed Purposes are amended to permit relevant organisations to continue to process Disclosed Shielded Patient List (SPL) data for:

1. the purposes of providing direct care and support to people who were previously clinically extremely vulnerable;
2. the purposes of the Public Inquiry

Article 6 (GDPR) lawful basis for processing personal data:

  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary for the performance of task carried out in the public interest
  • Processing is necessary in order to protect the vital interests of data subjects

Article 9 (GDPR) condition for processing special category personal data:

  • Processing is necessary for reasons of public interest in the area of public health

We also consider that the following criteria is met:

Article 6(1)(d) GDPR - processing is necessary in order to protect the vital interests of the data subject or another natural person.

Recital 46 adds that "some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread".

Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met as follows:

Article 9(2)(i) GDPR – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Schedule 1, Part 1(3) Data Protection Act 2018 – processing is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Article 9(2)(g) GDPR - processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The legislations, policies and guidance that relate to this service include, but are not limited to:

The Civil Contingencies Act 2004 and (contingency planning) Regulations 2005 Allows the local authorities continue to exercise its functions in the event of a emergency

The Local Government Act 2000 - Give powers to local authorities to promote economic, social and environmental well-being within District

Care Act 2014 - legal framework for local authorities support the individual’s ‘wellbeing’

Who are we likely to share this information with?

In this current pandemic, we may share your personal data internally within our various departments and services as well as externally with other public authorities, emergency services, and other stakeholders, as necessary and proportionate to do.

This includes, but not limited to:

  • Our providers;
  • Department of Health and Social Care, and all arm’s length bodies of the department;
  • Other central government departments as appropriate;
  • Police
  • GP practices;
  • Dudley Group of Hospitals Foundation Trust;
  • Dudley Clinical Commissioning Group;
  • NHS Digital;
  • NHS England;
  • NHS Improvement;
  • Other providers of healthcare or NHS bodies where appropriate;
  • Other local authorities where appropriate;
  • Community Groups;
  • Volunteers and charities;

Storing your information

We will only keep your information for as long as it necessary, taking into account Government advice and the on-going risk presented by Coronavirus. As a minimum the information outlined in this privacy notice will be kept for the duration of the COVID-19 response.

Where possible we will anonymise your personal data so that you cannot be identified.

When the information is no longer needed for this purpose, it will be securely deleted.

Further information

The Information Commissioner's Office has published its own FAQs on data handling during the pandemic.

If you would like further information about how we manage your data, please see the council’s Corporate Privacy Notice.

If you have any concerns or additional questions about how your personal data is handled, please contact the Data Protection Officer

on 01384 817006

or email:

or post:

Dudley Council
The Council House
Priory Road
West Midlands