Test and Trace: overarching privacy notice
Updated 14 December 2021
Applies to England
On 1 October the UK Health Security Agency (UKHSA) came into being as a result of an act of parliament (Health Security (EU Exit) Regulations 2021). UKHSA is an executive agency within the Department of Health and Social Care (DHSC) and it combines many of the health protection activities previously undertaken by Public Health England (PHE) together with all of the activities of the NHS Test and Trace Programme and the Joint Biosecurity Centre (JBC). The processing activities and the data processors have not changed. Individual rights are not affected by this change.
UKHSA is responsible for planning, preventing and responding to external health threats, and providing intellectual, scientific and operational leadership at national and local level, as well as on the global stage. UKHSA will ensure the nation can respond quickly and at greater scale to deal with pandemics and future threats.
Introduction
This document provides an overview of how personal information about you and others is collected, used, shared, stored, and disposed of in the provision of the response to the coronavirus (COVID-19) pandemic by NHS Test and Trace programme, which is now a part of UKHSA. It also explains your rights and how they can be exercised.
This programme has the following components:
Testing
Testing identifies who has COVID-19, and who has had COVID-19. The detailed privacy notice for testing can be accessed below:
Tracing
Tracing identifies people who have or may have been exposed to COVID-19 through contact with people who have tested positive, to advise them to self-isolate, how to obtain support whilst self-isolating and how to ensure they comply with self-isolation requirements. The detailed privacy notices for tracing and the NHS COVID-19 mobile application can be accessed below:
Contain
Contain works with local authorities to identify clusters and outbreaks of COVID-19, to take coordinated action to deal with outbreaks, and to support local communities in preventing future outbreaks. The contain division has no privacy notice of its own as all the required information is outlined in the testing and tracing privacy notices.
Joint Biosecurity Centre (JBC)
JBC is integrated into UKHSA and forms part of the government’s response to the COVID-19 pandemic. It operates as a central analysis and insight function and contributes to national and local decision making.
JBC brings together data science, data assessment and public health expertise to provide analysis and insight on COVID-19 in the UK. It does not collect personal information directly from individuals but instead draws upon data from a range of health and non-health sources, as well as other information feeds. This data is then analysed to advise the chief medical officers on the COVID-19 pandemic, including in relation to the alert levels for all 4 nations of the UK. The information is also used to develop insight to complement and build on this data to assist local decision-makers in taking effective action to protect public health.
The data processed includes personal and special category personal information. We recognise that the use and disclosure of personal and special category personal information has implications both for us and for the individuals whose personal information we process.
There is no separate privacy notice for these activities as all the required information is outlined in both this overarching notice and the respective testing and tracing privacy notices.
Data controller
DHSC has commissioned UKHSA on behalf of the UK government and will be the data controller for the purposes of data protection legislation. DHSC decides what information is required and how it needs to be used.
If you live in Wales, Scotland or Northern Ireland, further information about your governments work to tackle the pandemic can be found here:
The personal data we collect and how it is used
Personal information
Personal information | Used by Test? | Used by Trace? | Used by Contain? (including research) | Used by JBC? |
---|---|---|---|---|
Full name – to correctly identify and prove the eligibility of an individual | Yes | Yes | Yes | Yes |
Date of birth – to analyse demographics of population. Age alone is insufficient as it does not allow differentiation between groups within sub-categories such as school years | Yes | Yes | Yes | Yes |
NHS number – for English residents and if they know it – Wales, Scotland and NI residents may need to provide a different local identifier, which will be specified upon registering for a test and/or as part of contact tracing | Yes | Yes | - | - |
Home address (including postcode) – to correctly send test kits to an individual’s home addresses and to enable UKHSA to contact those who are positive as part of active follow up/national enhanced surveillance | Yes | Yes | Yes | Yes |
Other addresses, for example temporary, provided by users – as above | Yes | Yes | Yes | Yes |
Landline and/or mobile phone numbers – to be able to contact those who have taken the test and advise them whether they need to self-isolate, thus disrupting the spread of the virus | Yes | Yes | - | - |
Email address – as above | Yes | Yes | - | - |
Vehicle registration number – if booking a test at a regional test site this will allow access | Yes | - | - | - |
National Insurance (NINO) number – to ensure identity and eligibility of individuals booking tests | Yes | - | - | - |
Employer details – to ensure that those infected can be supported and the wider organisation protected | Yes | Yes | - | - |
Occupation details – gathered for analytics on COVID-19 sectorial impact | Yes | Yes | - | Yes |
Locations visited by individuals – collected via venue logs and the NHS COVID-19 app to enable potentially infected individuals to be contacted and supported | - | Yes | Yes | Yes |
Passenger journey itinerary (for example, travel dates, flight, train, coach or ferry seat numbers, locations, travel operators) – to monitor self-isolation and to identify close contacts of cases | - | Yes | Yes | - |
Unique Identifying Codes – identification codes are used to correctly link a tested individual to their own test result | Yes | Yes | - | - |
Parents’ or guardians’ contact details may be taken when we have activities such as testing or contact tracing involving children – to collect a child’s personal information and to test the child | Yes | Yes | - | - |
Third parties’ contact details may be taken when they have agreed to be contacted on behalf of other adults – to be able to contact those who have taken the test and advise them whether they need to self-isolate, thus disrupting the spread of the virus | Yes | Yes | - | - |
Special category data
Special category data | Used by Test? | Used by Trace? | Used by Contain? (including research) | Used by JBC? |
---|---|---|---|---|
Information relating to the individual’s physical or mental health condition – if a medical practitioner determines that the health information is pertinent to the infection of COVID-19, and where the health condition could cause further complications or could cause difficulties undertaking the test, then this health information may be collected | Yes | Yes | Yes | Yes |
Information relating to the family of the individual and the individual’s lifestyle and social circumstances – details of household members may be collected as part of tracing where positively tested individuals will be linked to contacts | - | Yes | Yes | Yes |
Information which relates to the ethnic origin of the individual – there is growing evidence that BAME communities are disproportionally affected by COVID-19, so capturing this information will allow this to be researched further | Yes | Yes | Yes | Yes |
Information relating to genetic/biometric details (where processed to uniquely identify an individual) – tests will take swabs of a person’s mouth/nasal passage for testing and this will contain genetic data in the sample. This will be used for testing but also the results of this test may be used for tracing and contain purposes | Yes | Yes | Yes | No |
Criminal convictions or alleged criminal behaviour
Criminal convictions or alleged criminal behaviour | Used by Test? | Used by Trace? | Used by Contain? (including research) | Used by JBC? |
---|---|---|---|---|
Information relating to any offences committed where we provide a testing service in prisons and where enforcement action may be taken against individuals who may fail to self-isolate – the prisoner early release and the prisoner protection programme (shielding/vulnerable lists) may engage with details of offences and sentencing. It should also be noted that in answering police requests for information to support potential self-isolation breaches and/or in the provision of similar data to the local authorities for triage it can be inferred that those individuals will be subject to law enforcement investigation, leading to potential criminal proceedings | Yes | Yes | Yes | No |
Automated decision making or profiling
Any automated decision making is authorised by law via our tracing division as part of our contact tracing NHS COVID-19 app. This is in compliance with the requirements of Article 22 of the UK General Data Protection Regulations (GDPR).
This arises where an app user comes into contact with someone who has tested positive such that they are advised by way of a notification sent via the app to self-isolate and order a test. Our lawful basis for doing this is section 2A of the NHS Act 2006. Suitable measures to safeguard your rights, freedoms and interests have all been put in place as required by Article 22 of the UK GDPR.
How will my information be shared by UKHSA in the context of the response to the COVID-19 pandemic?
The organisations that we may share personal data with can be found in appendix 1 (personal data recipients).
Lawful basis for processing personal information
The lawful basis changes depending on the purpose that the information is used for. These lawful bases can be found in appendix 2 (lawful basis for processing).
How long we keep your personal information
For the personal information processed by UKHSA, your information will be stored in line with the Records Management Code of Practice for Health and Social Care 2021.
This means your personal information may be retained from a minimum time of 14 days (for example, as part of the passenger locator form data) up to 8 years for patient record based on the part or parts of the programme that your personal information has been processed by, before being securely disposed of. Programme applies principle of data minimisation to ensure that data processing is limited to what is necessary and not held beyond the purpose.
Typical retention periods are:
-
patient records containing (full name, date of birth, NHS number, home address, phone number, email, medical health, unique identifying codes, other personal information) – 8 years
-
personal information pertaining to contact information held by UKHSA – 5 years
-
users’ preferred communication methods – 3 years
-
vehicle registration numbers – 1 year
-
employer details – 6 years
-
information request from other government departments or law enforcement – 42 days
-
complaints and case files – 10 years
-
subject access requests and freedom of information (FOI) requests – 3 years
-
subject access requests and FOI requests where there has been an appeal – 6 years
For a more detailed list, and explanation of the start dates, and retention categories please see the Records Management Code of Practice for Health and Social Care 2021 which contains the full list.
Personal information storage
We handle your personal information in accordance with appropriate procedures and technologies to maintain and protect its security, availability, confidentiality and integrity, and prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.
Storage of data by DHSC is provided secure computing infrastructure on servers located in the European Economic Area (EEA). Our platforms are subject to extensive security protections and encryption measures.
Test codes and results are taken from the testing process and provided via the National Pathology Exchange (NPEx) to the App central system and will be stored via The Health Informatics Services (THIS) hosted by Calderdale and Huddersfield NHS Foundation Trust (CHFT) systems, based in the UK.
Other reasons why we process your personal information
Your personal information may be used for purposes that are not directly related to your health and care. For example, it may be used by DHSC to help measure, improve and evaluate the performance, effectiveness and impact of the response to the COVID- 19 pandemic.
Information about you will not be used for any purpose that is not linked to the control and prevention of COVID-19.
Any releases of information that identify you will be lawful and the minimum necessary for the associated purpose.
International data transfers
COVID-19 data may need to be shared with WHO for research purposes and where required to help trace contacts internationally. These are restricted transfers made on the basis of being important for reasons of public interest, where we rely on one of the derogations under Article 49(1)(d) of the GDPR.
Your rights as a data subject
Under data protection law, you have several rights over your personal information. You have the right to:
-
ask for a copy of any information we hold about you
-
ask for any information we hold about you (for example demographic information) to be changed if it is inaccurate
-
ask us to consider restricting our use of your information, although this is not an absolute right and we may need to continue to use your information in the interests of public health – we will tell you why if this is the case
-
object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
-
delete any information we hold about you, although this is not an absolute right and we may need to continue to
-
ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority in another country
-
ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority both in the UK and in other countries, but also to your private health provider (your record in a machine-readable format will be provided to you)
You can exercise any of your rights by contacting us at InformationRights@UKHSA.gov.uk
Once we receive your request, members of our data protection team will endeavour to get back to you as soon as possible to confirm receipt.
If you’re unhappy or wish to complain about how your personal information is used by UKHSA you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.
You can contact the Department of Health and Social Care’s data protection officer at [email protected]
You can also write to:
Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU
Information relating to children
Children under the age of 16 require the consent of their parent or guardian for testing and tracing.
If the parent or guardian has granted explicit consent, we will undertake COVID-19 testing on your child. As a result, we will hold the same personal information as outlined in this privacy notice for the purpose of administering the test.
Where an individual under the age of 18 is investigated for potential non-compliance with self-isolation requirements, enforcement action may be taken against holders of parental responsibility, and/or guardians.
Security
We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.
Changes to our policy
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on the DHSC website.
Appendix 1: We send personal information to these organisations
Organisation name | Division | Role |
---|---|---|
Amazon – to deliver home test kits once a request has been registered | Test | To be able to deliver and collect home test kits |
AWS (Amazon Web Services) | Trace | Where the Contact Tracing Service stores your data on the Cloud |
Barcode Warehouse | Test | To create barcodes for Testing to identify your test |
Boots | Test | Support and operational services to assist Testing |
Cabinet Office | Trace Contain | For the issuing and management of texts and emails for Contract Tracing |
Care Homes | Test Trace | To provide residents’ data to book testing |
Crown Prosecution Service | Trace Contain | In the event of prosecution for breaches of self-isolation rules |
Deloitte | Test | Provide support to the Testing programme and operate some of the Regional Test sites |
DHL – Courier 1 | Test | Deliver and pickup testing kits for individuals |
EMIS Health | Test | Provider of patient record system which supports Testing operations |
European Centre for Disease Control Early Warning & Response System | Trace | Sharing of data for EU country specific tracing capabilities |
ExperienceLab (Laboratory) | Test | Provide support and operation for Testing |
G4S | Test | Provide operational delivery of testing sites |
Home Office | Trace | Share data as required from Passenger Locator Forms (PLFs) to this ministerial department responsible for immigration, security, and law and order |
Kainos | Trace | Provides operational support for contact tracing service |
Kuenhe & Nagel – Courier 3 | Test | For Logistics on Testing |
Laboratories (NHS) | Test | Support and operation for Testing |
Laboratory 4 (Cambridge – run by AstraZeneca) | Test | Support and operation for Testing |
Levy | Test | Support and operation for Testing |
Local Authorities | Trace Contain | Assist with contact tracing, localised lockdown activity, administration of self-isolation support payments and to provide support as required, assessment of eligibility for self-isolation payment support and enforcement referral |
Ministry of Housing, Communities and Local Government (MHCLG) | Test Trace Contain | Working with Local Authorities on localised delivery of testing and local contact tracing activities |
Ministry of Defence | Test | Support the Test functionality of the programme by providing Test Centres and expanding capacity through personnel |
Ministry of Justice | Trace Contain | Provide trace and contain services for prisoners in custody |
NHS Business Services Agency | Test Trace | Business support, logistics, public comms/engagement |
NHS Digital | Test Trace Contain | Collection, Reporting, General Practitioner Record update, Antibody testing function, Contact tracing and testing data |
NHS England/Improvement | Test Contain | To provide commissioning support for Test and Contain activities |
NHS Professionals | Trace | Registered medical professionals contacting those who have tested positive for COVID-19 |
National Pathology Exchange | Test | Test requests and results are exchanged between laboratories within seconds digitally using a Single exchange system |
NCSC | Test Trace Contain | UK Government organisation that provides advice and support to avoid computer security threats. |
Office of Life Sciences | Contain | Department of DHSC that champions research, innovation and the use of technology to transform health and care service. |
Office of National Statistics (ONS) | Trace Contain | Trace and Contain engage with ONS for Secure analytics |
Palantir | Contain | Provision and support of data analytics platform (anonymised data) |
Police forces | Trace Contain | Confirmation of whether an individual has been asked to self-isolate and enforcement actions |
Public Health Wales & Others | Test | Tracing - Welsh Gov |
Public Health Scotland (PHS) | Test | Tracing - Scottish Gov |
Public Health N. Ireland (PHNI) | Test | Tracing - NI Assembly |
Randox | Test | Provide Home testing for individuals |
Royal Mail Group | Test | Deliver and pickup testing kits for individuals |
Serco | Test Trace | Operational delivery of testing sites and contact tracing |
Sitel Group | Trace | Operational delivery of contact tracing |
Sodexo | Test | Operational delivery of testing sites |
TelePerformance | Trace | Operational delivery of tracing capabilities |
The Health Informatics Services (THIS) | Test Trace | Support and operation for Testing and Tracing |
Thriva | Test | Support and operation for Testing |
TransUnion | Test | Address validation for home testing kit orders |
Travel Operators (for example, airlines) | Trace | Assistance in closing any gaps on contact tracing capabilities, requests on an ad-hoc basis where insufficient data available on Passenger Locator Forms |
Venues | Trace | Provision of venue log data if required for contract tracing |
World Health Organization (WHO) Focal Points | Trace | Sharing of data for non-EU country specific tracing capabilities |
Appendix 2: lawful basis for processing
Sharing of personal information
UKHSA (formerly Test and Trace, JBC and PHE) relies on section 2A of the NHS Act 2006 for the processing of personal information.
The Secretary of State used these powers to amend the Control of Patient Information (COPI) notice to allow the sharing of confidential personal information between eligible permitted organisations which are outlined in the COPI notice.
The COPI notice
The Secretary of State issued the COPI notice, on 20 March 2020 (under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002).
This notice was amended on 29th July and re-issued to protect public health as required under section 2A (1) of the NHS Act 2006 to extend the notice to the end of March 2021. In response to the COVID-19 pandemic, UKHSA delivers the statutory obligations under the Health and Social Care Act 2012 to establish and operate the function as per the Secretary of State’s direction to protect public health.
Testing division
The following lawful bases may apply to testing:
-
the processing is necessary for the performance of a task carried out in the public interest [GDPR Article 6(1)(e)]
-
the processing is necessary for compliance with a legal obligation [GDPR Article 6(1)(c)]
Special category data processing is necessary:
-
for reasons of public interest in public health [GDPR Article 9(2)(i)]
-
in the substantial public interest [GDPR Article 9(2)(g)]
-
for the management of health/social care systems or services [GDPR Article 9(2)(h)]
Data Protection Act 2018:
-
Schedule 1, Part 1, Section 1 – employment in relation to those engaged to work at testing sites
-
Schedule 1, Part 1, Section 3 – public health
-
Schedule 1, Part 2, Section 6 – statutory and government purposes relating to public health and in particular the management of the COVID-19 public health emergency
Tracing division
The following lawful bases may apply to tracing:
-
the processing is necessary for the performance of a task carried out in the public interest [GDPR Article 6(1)(e)]
-
the processing is necessary for compliance with a legal obligation [UK GDPR Article 6(1)(c)]
Where personal data is shared with other countries for the purpose of international contact tracing, the following UK GDPR derogation for specific situations applies:
- GDPR Article 49(1)(d) ‘the transfer is necessary for important reasons of public interest’
Special category data processing is necessary:
-
for the provision of health or social care [GDPR Article 9(2)(h)]
-
for reasons of public interest in public health [GDPR Article 9(2)(i)]
-
necessary for reasons of substantial public interest in the basis set out in [law] [GDPR Article 9(2)(g)]
-
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes [GDPR Article 9(2)(j)]
-
for the processing of data relating to criminal convictions and offences [GDPR Article 9(2)(i)]
Data Protection Act 2018:
-
Schedule 1, Part 1, Section 2 – Health or social care purposes
-
Schedule 1, Part 1, Section 3 – Public health
-
Schedule 1, Part 1, Section 4 – Research
-
Schedule 1, Part 2, Section 6 – Substantial Public Interest
-
Schedule 1, Part 2, Section 19 – Safeguard in processing for archiving, research and statistical purposes
The tracing division may also provide relevant and necessary data to a local authority or to local police forces in relation to enquiries about an individual not self-isolating or providing incorrect/incomplete information.
The processing will be carried out to meet obligations under The Health Protection (COVID-19, Restrictions) (Self-Isolation) (England) Regulations 2020 and meets the relevant condition in the Data Protection Act 2018 [Schedule 1, Part 1, Section 3] of being necessary for reasons of public interest in the area of public health.
Contain division
The following lawful bases may apply to contain:
-
the processing is necessary for the performance of a task carried out in the public interest [GDPR Article 6(1)(e)]
-
the processing is necessary for compliance with a legal obligation [GDPR Article 6(1)(c)]
Special category data processing is necessary:
-
for reasons of public interest in public health [GDPR Article 9(2)(i)]
-
necessary for reasons of substantial public interest in the basis set out in law [GDPR Article 9(2)(g)]
-
necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89(1) [GDPR Article 9(2)(j)]
Data Protection Act 2018:
-
Schedule 1, Part 1, Section 3 – Public Health
-
Schedule 1, Part 2, Section 6 – Substantial Public Interest
-
Schedule 1, Part 1, s. 4(a to c), Conditions relating to employment, health and research purposes
To achieve compliance with the Data Protection Act 2018, DHSC have an appropriate policy document for when we process special category data and/or criminal offence data.