Dudley Council
Dudley Skyline

Privacy Notice for the Food Safety Service

Dudley Metropolitan Borough Council (MBC) - Environmental Health & Trading Standards (EHTS)

We are committed to protecting your personal data and ensuring that it is processed fairly and lawfully. Information you provide to us will be processed in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018) and subsequent legislation. For the purposes of Data Protection, Dudley MBC is the Data Controller.

Who we are and what we do

We are the Food team, part of Dudley Metropolitan Borough Council’s Environmental Health and Trading Standards service. We are part of the Health and Wellbeing Service delivered within the People Directorate.

The Food team’s role is to ensure food produced, handled or sold within the Dudley Borough is safe to eat and correctly labelled. We do this by:

  • Registering/approving and inspecting food businesses
  • Investigating complaints about food and food premises
  • Investigating cases of infectious disease
  • Sampling of food
  • Providing advice and guidance to food business operators, food handlers and members of the public

We also inspect food premises for compliance with health & safety legislation and enforce the smoke free requirements for all premises in the borough.

For more information about our services please see the Dudley Council website.

What type of personal information do we collect and how do we collect it?

If you are a food business operator (FBO), when we register/approve your business we collect the following information from you:

  • Your name
  • Business name
  • Address (including the address of the FBO if this is different to the business address)
  • Telephone number (including the number of the FBO if this is different to the business number)
  • E-mail address (including that of the FBO if this is different to the business email)
  • The names of your employees who are food handlers and their food hygiene qualifications

If you are making a complaint about food or a food business or you are requesting advice we collect the following information:

  • Your name
  • Your business name (if applicable)
  • Address
  • Telephone number
  • E-mail address (if applicable)

When we investigate cases of infectious disease (including food poisoning), we collect the following information:

  • Your name
  • Your job or business name (if applicable)
  • Address
  • Date of birth
  • Telephone number
  • E-mail address (if applicable)
  • Details of your employment (or in the case of your child, their school details)
  • Medical information, including when you became ill, symptoms and duration of illness
  • Names of family members, or other close contacts, together with their employment or school details
  • Places you have visited, eaten at or bought food from

We collect information from you in the following ways:

  • Paper forms
  • Online forms
  • Telephone conversations
  • Face to face meetings
  • Copies of notifications
  • From other agencies (for example Public Health England, the Food Standards Agency or other local authorities)
  • From copies of certificates
  • From other people (for example from people making a complaint about a business)


Legal basis for processing

Our legal basis for data processing comes from Articles 6 and 9 of GDPR.

Legal obligation - Article 6 (1) (c) - processing is necessary for compliance with a legal obligation to which the controller is subject.

Public task - Article 6 (1) (e) – processing is necessary for us to perform a task carried out in the public interest or for our official functions.
When we investigate infectious disease, the lawful basis for processing is under Article 6 (1) (e), public task, and Article 9- processing is necessary for reasons of public interest in the area of public health.

Legislation enforced by the service includes:

  • Food Safety Act 1990, as amended
  • Food Safety and Hygiene (England ) Regulations 2013
  • Official Feed and Food Controls (England ) Regulations 2009
  • Trade in Animal and Related Products Regulations 2011
  • Food Information Regulations 2014
  • Official Controls (Animals, Feed & Food ) Regulations 2006
  • Animal By-Products (Enforcement) (England) Regulations 2013
  • Public Health (Control of Disease Act) 1984
  • Health Protection (Local Authority Powers) Regulations 2010
  • Health Protection (Part 2A Orders) Regulations 2010
  • Health Act 2006
  • Health & Safety at Work etc Act 1974

What is your personal information used for?

The information we collect is used for the following purposes:

  • To register/approve and regulate food businesses and check compliance with food law
  • To hold FBOs who fail to comply with the law to account
  • To investigate complaints about food and food premises
  • To investigate the causes of infectious disease and prevent its spread
  • To provide updates on the progress of investigations
  • To offer advice and guidance to businesses and members of the public

Sharing your personal information

Details of food businesses and food business operators may be shared with the Food Standards Agency, the independent government department responsible for food safety.

Under prescribed circumstances, for example the prevention and detection of crime or for tax collection purposes, we may share food business or FBO personal information with:

  • The Police
  • HMRC
  • Home Office Immigration
  • Other Dudley MBC departments/services, for example, planning, building control, licensing, revenues and benefits
  • Other local authorities

We share personal details relating to cases of infectious disease with Public Health England.

Keeping your personal information secure

We are committed to protecting personal data and have data policies and procedures in place to ensure that it is safeguarded. Contact information is held securely on the database service used. All staff undertake regular training in data protection and managing personal information.

Amount of time we hold your information

Information is kept in accordance with our retention policy. After we deliver a service to you, we keep your information as a business record of what was delivered. The retention period is 7 years.
Personal information processed outside the European Economic Community (EU)
We do not process your personal information outside the EU unless you specifically request us to do so, for example on an export certificate.


At no time will your information be passed to organisations external to us or our partners for marketing or sales purposes or for any commercial use without your prior express consent.

National data opt-out

National Data Opt-Out and use of NHS data.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a Care or Patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

•  improving the quality and standards of care provided
•  research into the development of new treatments
•  preventing illness and diseases
•  monitoring safety
•  planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit Your NHS Data Matters. On this web page you will:
•  See what is meant by confidential patient information
•  Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
•  Find out more about the benefits of sharing data
•  Understand more about who uses the data
•  Find out how your data is protected
•  Be able to access the system to view, set or change your opt-out setting
•  Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
•  See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:
NHS UK Information About Patients (which covers health and care research); and
Understanding Patient Data What You Need to Know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until March 2021 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

What are your rights?

Your rights are detailed in the Council’s Corporate Privacy Notice 

Should you wish to raise any concerns about how we have processed your personal data you can contact the data protection officer, email information.governance@dudley.gov.uk

You also have the right to contact the Information Commissioner.
If you would like a copy of this information in a different format, please email information.governance@dudley.gov.uk