Privacy notice for hospital episodes statistics

Who is collecting and using your personal data?

Devon County Council (DCC) is a Data Controller under Data Protection Legislation and our ICO registration number is Z6475582. This privacy notice concerns the processing of pseudonymised Hospital Episodes Statistics that takes place by the Devon County Council Public Health Service.

This notice explains what information we collect, why we collect it and how we keep it secure. It also explains your rights and our legal obligation. Should you wish to find out more about Devon County Council’s data protection policies please contact our Data Protection Officer.

We will notify you of any changes to this privacy notice.

This privacy notice was last updated on 26/02/2020. If we use your personal data for any new purposes, updates will be made to the policy information and changes communicated, where necessary in accordance with current data protection legislation. Any queries relating to this privacy notice please contact the Data Protection Officer.

What information do we collect?

Information about hospital activity is supplied to local authorities by NHS Digital and contains data collected when someone is admitted to a hospital bed, attends as an outpatient, or attends an urgent care centre. Devon County Council has a Data Access Agreement with NHS Digital and data are supplied in accordance with section 261 of the Health and Social Care Act 2012, and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

Data supplied are pseudonymised, a process by which information within a data record that may identify an individual is replaced by artificial identifiers or pseudonyms which means that individuals are no longer identifiable. Information held includes age, method of admission, source of admission, diagnosis codes, procedure and investigation codes, area of residence, hospital attended, date of attendance, and GP practice of patient. More information on this dataset can be found here:

How will we use your personal data?

This information is used for the purposes of statistical analysis, the monitoring of population health in the county, and to inform the planning and commissioning (buying) of health services.

This information is used to monitor the local responsiveness, targeting and value for money of services, to provide public health advice and support to local NHS commissioners, and to monitor trends in the incidence and prevalence of disease and risks to public health, demand for and access to health care services, variations in health outcomes between groups, the integration of local health and care services and the association between causal risk factors and health outcomes.

It is used to inform the planning and targeting of health, care and public health services. Analyses produced are used within the Annual Public Health Report, the Joint Strategic Needs Assessment (which in turn informs the Joint Health and Wellbeing Strategy and local commissioning plans), the pharmaceutical needs assessment, health needs assessments and the local disaggregation of national performance measures in the health and wellbeing outcomes report and the public health outcomes report.

No person-identifiable information is published, and numbers and rates in published reports based on counts fewer than five are removed to further protect confidentiality and anonymity.

Information is held in a secure database which is only accessible to analytical staff within the Devon Public Health Intelligence Team. The database is on a secure internal network protected by AES 256 encryption and can only be accessed within this network.

Data will be held be for deaths registered from 1996 onwards consistent with the data access agreement between NHS Digital, the Office for National Statistics and Devon County Council.

This data will be obtained from NHD Digital under our Data Access Agreement. The council only uses IT systems for these purposes which are supplied under a contract and where the security has been assessed. For more details about the council’s security arrangements please visit

Why we collect and use pseudonymised data

This information is used to ensure that health, social care and public health services address local health needs and are focused on reducing health inequalities (differences in levels of ill health and premature deaths between groups and areas).

Pseudonymised data that is collected for any of the purposes outlined in this notice is never used for direct marketing purposes and is not sold on to any other third parties. Information that is collected for any of the purposes listed on this privacy notice will be held for 10 years and will then be securely disposed of.

The legal basis for us collecting your personal data

Where we are processing pseudonymised data for any of the purposes outlined in this privacy notice, we rely upon the following lawful conditions for processing:

  • Article 6(1)(c) – processing that is necessary for DCC to fulfil a statutory obligation
  • Article 6(1)(e) – processing for the purposes of delivering a public task carried out in the public interest

If we feel that it is necessary to share your personal data with professionals to ensure you or someone you work with is safeguarded from harm, we rely upon the provisions of the Safeguarding Vulnerable Groups Act 2006 and Children Act 1989 and 2004.  Where it is necessary to share medical or social care information for these purposes, we rely upon article 9(2)(h) of the General Data Protection Regulation (information necessary for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems).

We may also need to share some personal data about you so that we can support third party organisations to discharge their regulatory requirements. This includes organisations such as:

  • The data protection regulator (the Information Commissioner’s Office)
  • The Care Quality Commission

We may also share information to enable us to comply with court orders and other legal obligations. If this is necessary, we will only share the minimum amount of personal data needed for this purpose.

How long will we hold your personal data?

We will retain your personal data for only as long as is necessary and in line with our organisation’s record retention schedules.

Your data protection rights

Under Data Protection Legislation, you have the right to obtain a copy of their personal records held by us, this is called a Subject Access Request (SAR).

You have the right to opt-out of the Devon County Council Public Health Intelligence Team receiving or holding your personal identifiable information. There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. The process for opting out will depend on the specific data is and what programme it relates to. If you have any questions about our use of these data, wish to request a copy of the information we hold about you, or if you wish to discuss your rights in relation to opting-out from these processes, please contact the Public Health team by telephone on 01392 386371, by email at or by post at Public Health Intelligence Team, Devon County Council, County Hall, Topsham Road, Exeter, EX2 4QD. More information about how the Council will protect your privacy is available from our website at

International transfers

No data that is to be processed for any of the purposes outlined in this privacy notice, to be transferred to countries outside of the legislative scope of UK data protection laws.


If you have any comments, queries or complaints about this privacy notice or the processing of your personal data please contact our Data Protection Officer.

Alternatively, if you are not happy with the way that DCC is handling your personal data, you are entitled to appeal to the Information Commissioners Office (ICO). The Information Commissioners Office enforces and oversees the Data Protection Regulations.

Contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane


Automated decisions

No automated decisions will be taken that affect individuals whose personal data are being processed for any of the purposes outlined in this notice.