COVID-19 self-test for staff, service users and visitors in adult social care settings: privacy notice
Updated 29 January 2024
Applies to England
Ownership of the personal data
To enable the COVID-19 testing to be completed at [name of organisation], we need to process personal data, including the sharing of personal data where this is allowed under data protection legislation.
[Name of organisation] is the data controller for the data required for the management of tests, implementing local arrangements in the event of a positive test and collecting details of who has received each test kit.
We will process personal data relating to users, under article 6.1(f) of the UK GDPR – it is necessary in the legitimate interest of the data controller. We will process special category personal data under the provisions of article 9.2(i) of the UK GDPR, and Part 1 of Schedule 1(3) of DPA 2018 where it is in the public interest on Public Health Grounds to ensure we can minimise the spread of COVID in a timely manner and enable us to continue to deliver services as safely and securely as possible.
Ownership of the personal data shared with DHSC
When you do your own testing at home or on the organisations premises, you must report the results online to the Department of Health and Social Care (DHSC) and also tell the [name of organisation]. Read more on online reporting.
DHSC is the data controller for the information that you provide to them about you and your test results. For more information about what DHSC does with your data, see the privacy notice for NHS Test and Trace.
The [name of organisation] remains the data controller for the data we retain about you for the management of tests and implementing local arrangements in the event of a positive test. You can read the privacy notice on GOV.UK or you can request a copy is sent to you. This will help you understand how your personal data is used prior to taking a test.
Personal data involved
The following personal data is processed by the [name of organisation] in relation to your test:
- name
- unique code assigned to each individual test and which will become the primary reference number for the tests
- test result
Test kit log
The following personal data is collected from you by the [name of organisation] in relation to self-test kits you are provided to use at home:
- first name, last name, telephone number and/or email address of test subject
- details of lot or batch number
- date of issue to user
For this test kit log the [name of organisation] is acting as a ‘processor’ for the DHSC, and this information will not be shared with DHSC.
How we store your personal information
The [name of organisation] will maintain the test kit log, which would contain your personal details (outlined above). The [name of organisation] test kit log will not be shared with DHSC. This information will only be stored securely on locally managed systems with appropriate access controls implemented by [name of organisation] and will only be accessible to personnel involved in the management of tests and implementing local arrangements in the event of a positive test.
The [name of organisation] shall not keep the data contained in the test kit log for longer than 12 months from the date on which it is collected.
DHSC will retain information for up to 8 years.
Processing of personal data relating to positive test results
The [name of organisation] will use this information to enact its own COVID isolation and control processes whilst ensuring respect to personal privacy in line with our data protection responsibilities.
Processing of personal data relating to negative and void test results
The [name of organisation] will record a negative and void result for the purpose of stock controls of tests and general performance of the testing process.
Data sharing partners
The personal data associated with test results may be shared with:
-
DHSC and Public Health England – to ensure that they can undertake the necessary Test and Trace activities and to conduct research and compile statistical information about coronavirus
-
local government to undertake local public health duties and to record and analyse local spreads
A full list of recipients is available in Testing for coronavirus: privacy information.
The [name of organisation] will not share its internal COVID-19 results register with the DHSC.
Your rights
Under data protection law, you have rights including:
-
your right of access – you have the right to ask us for copies of your personal information
-
your right to rectification – you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
-
your right to erasure – you have the right to ask us to erase your personal information in certain circumstances
-
your right to restriction of processing –you have the right to ask us to restrict the processing of your personal information in certain circumstances
-
your right to object to processing – you have the right to object to the processing of your personal information in certain circumstances
-
your right to data portability – you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Contact us at [email address, phone number and or postal address of organisation’s DPO] if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at [your organisation’s contact details for data protection queries].
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113