Our personal information charter contains the standards you can expect when we ask for, or hold, your personal information. It also covers what we ask of you, to help us keep information up to date.
We know how important it is to protect your privacy. If we ask for your personal information we will:
- let you know why we need it
- only ask for what we need
- make sure nobody has access to it who shouldn’t
- let you know if we share it with other organisations to give you better public services, and whether you can say no
- only keep it for as long as we need to
- not make it available for commercial use (such as marketing) without your permission
In return, to help us keep your information reliable and up to date, we ask you to:
- give us accurate information
- tell us as soon as possible of any changes, such as a new address.
In dealing with your personal information, we will also:
- value the personal information you give to us and make sure we respect that trust
- abide by the law when it comes to handling personal information
- consider the privacy risks when we are planning to use or hold personal information in new ways, such as introducing new systems
- provide training to staff who handle personal information
- respond appropriately if personal information is not used or protected properly
How to find out what personal information we hold about you
You can find out if we hold any personal information about you.
To help us give you the information you want, we need you to tell us which part of PHE you have been dealing with and why you believe we hold information on you.
If we do hold information about you we will:
- give you a description of it
- tell you why we are holding it
- tell you to whom it could be disclosed
- let you have a copy of the information in an intelligible form
When we share information
We may share personal information within our organisation or with other bodies where necessary, and where we are required or permitted to do so by law.
There may be limited circumstances where we share your information with third parties without telling you but this would only be where the law requires it, for example, crime prevention and detection purposes under the DPA 1998.
How we handle personal information
PHE staff process all information under medical supervision and are trained to treat any personal details in the strictest confidence, in compliance with the DPA and NHS Caldicott Guidelines. Our staff have the same duty as other healthcare professionals to maintain confidentiality. Any deliberate or negligent breaches of this policy are disciplinary offences. Individual case reports are shared only with the healthcare professionals caring for the patient.
We remove any personal details attached to information, to make it anonymous, as soon as we can.
PHE will retain as little named information as possible about individuals at every stage. Many reports made to us do not contain names, and within two years we have usually removed any details that could identify the individual from the information we hold. Exceptions are where long-term follow up is needed, or the law or professional guidance requires us to keep the information for longer than that.
We will also work with the NHS to reduce the amount of identifiable information that is held: for example by using the NHS number instead of the name. We will use the special arrangements already in place to protect the confidentiality of patients seen in sensitive situations such as sexual health clinics. We base our use of information on adherence to the DPA 1998, the law for notifiable disease and section 251 of the NHS Act 2006 (originally enacted under Section 60 of the Health and Social Care Act 2001).
PHE complies with the advice of the Health Research Authority Confidentiality Advisory Group, where required.
We check the information we hold is accurate and up to date.
The training and guidance we give to our staff
We train all new staff about data protection and provide guidance on all aspects of information handling. PHE provides general awareness training to all our staff, and anyone who handles information receives specific training.
Further details on the kinds of personal information PHE uses, and why is available in this leaflet:
How to make a complaint
If you are unhappy with the way we have handled your personal information and wish to make a complaint, please write to the PHE Complaints Manager. We will acknowledge your complaint within 3 working days and let you have a full response within 20 working days. If it is not possible to respond fully within this timescale, we will write and let you know why and say when you should receive a full response.
Public Information Access Office
Public Health England
61 Colindale Avenue
When we ask you for information, we will keep to the law, including the DPA 1998. For independent advice about data protection, privacy and data sharing issues, you can contact:
Phone: 08456 30 60 60 or 01625 524510