Merton Council is a data controller for the purposes of the Data Protection Act and is registered as a data controller (registration number Z4606899). The Public Health team of Merton Council also have a legal status allowing the processing of Personal Confidential Data for certain Public Health purposes. The use of such data will be restricted so that the principles contained in the Data Protection Act 1998, General Data Protection Regulation (GDPR) and NHS Caldicott Principles are fully adhered to. The legal basis is section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

The Public Health service of Merton Council is responsible for protecting and improving the health of the population of Merton. To help with this, we use data and information from a range of sources, including data collected at the registration of a birth or death, to understand more about the health and care needs in the area. Public Health teams within Local Authorities are also required to commission and manage services for their population.

The data collected in Merton Council Public Health

We hold and collect personal identifiable information for Public Health purposes about:

  • residents of Merton
  • people receiving health and care services in Merton
  • people who work or attend school in Merton

all to whom it has a Public Health duty of care.

The Public Health service at Merton Council will have access to the following data:

  • Primary Care Mortality Database (PCMD) – The PCMD holds mortality data as provided at the time of registration of the death along with additional GP details, geographical indexing and coroner details where applicable
  • Births datasets - Births files include date of birth, sex, birthweight, address, postcode, place of birth, stillbirth indicators and age of mother. Deaths data includes: deaths broken down by age, sex, area and cause of death sourced from the deaths register.
  • Vital statistics tables – This dataset is aggregated together so that it does not identify individuals. It contains data on live and still births, fertility rates, maternity statistics, death registrations and cause of deaths analysis within Merton.
  • Hospital Episode Data (HES) – is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. This data is collected during a patient's time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data.
  • National Child Measurement Programme (NCMP) - The National Child Measurement Programme is a mandatory nationwide government scheme that is responsible for collecting annual information on the height and weight status of children in reception year (ages 4-5) and year 6 (ages 10-11). Using Body Mass Index (BMI), the results are used to monitor and assess childhood obesity trends nationally and in local areas to support public health initiatives and campaigns. It is the responsibility of Public Health Teams in Local Authorities to collect and process the data at a local level, before it is reported up to a national level, where the data is then collated by Public Health England's Obesity Risk Factors Intelligence Team.

How is the information used?

All information accessed, processed and stored by Public Health staff will be used to measure the health, mortality or care needs of the population; for planning, evaluating and monitoring health; protecting and improving Public Health. It is used to carry out and support:

  • Joint Strategic Needs Assessment
  • Director of Public Health Annual report
  • Health and Wellbeing Strategy
  • Health needs assessments
  • Local health profiles
  • Commissioning and delivery of services to promote health and prevent ill health
  • Public Health surveillance
  • Identifying inequalities in the way people access services
  • Health protection and other partnership activities
  • Identifying priorities for action
  • Inform decisions on (for example) the design and commissioning of services
  • To support clinical audits, in particular suicide and childhood deaths
  • To provide intelligence to aid the Council and Merton Clinical commissioning group (MCCG) in its duty to protect and improve the health of the population.

Keeping the information secure

We are required to comply with the Data Protection Act to ensure information is managed securely and this is reviewed every year as part of our NHS Information Governance Toolkit assessment.

Any personal identifiable data is sent or received using secure email. All data is stored electronically on encrypted equipment and is managed using the principles of medical confidentiality and data protection. The number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all who undertake regular training about data protection and managing personal information.

In relation to births and deaths, the data will only be processed by Local Authority employees in fulfilment of their Public Health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of the Local Authority or in connection with their legal function.

We only keep hold of information for as long as is necessary. This will depend on what the specific information is and the agreed period of time.

Sharing information

These datasets will not be disclosed to anyone other than those stated above without permission, unless we have a legal reason to do so, for example disclosure is necessary to protect a person from suffering significant harm or necessary for crime prevention or detection purposes.

Confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified, so that the data is managed and used under the same restrictions. Anyone who receives information from Merton Council Public Health is also under a legal duty to keep it confidential.

To opt out

You have the right to opt out of Merton Council Public Health receiving or holding your personal identifiable information.

There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues.

The process for opting out will depend on what the specific data is and what programme it relates to. For further information, please contact the Public Health team by email at: or in writing to: Public Health, Merton Council, Merton Civic Centre, London Road, Morden, SM4 5DX.

Further information

More information about how the Council uses your information is available from our website at:

If you have concerns about the use of your personal data, the Information Commissioners Office is an independent body set up to uphold information rights in the UK. They can be contacted through their website:, through their helpline (0303 123 1113) and in writing at their head office: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.