Guidance

Test and Trace: overarching privacy notice (summary version)

Updated 14 December 2021

Applies to England

Summary

The UK Health Security Agency (UKHSA) is responsible for implementing the UK government’s response to the coronavirus (COVID-19) pandemic in England.

This privacy notice explains how personal data about you and others is collected, used, shared, stored, and disposed of. It also explains your legal rights relating to its use.

This notice summarises the key points from the privacy notice as a summary for a quicker read.

Background to Test and Trace

The Department for Health and Social Care (‘DHSC’ or ‘the department’) is the ‘data controller’ for personal data processed within the 3 main parts of the NHS Test and Trace programme, which is now a part of UKHSA:

  • testing – to identify who has had the virus and who currently has the virus

  • tracing – to identify people who may have been exposed to the virus, to advise them to self-isolate, and for self-isolation support and enforcement. Data collection will be via venue customer logs, passenger locator forms and the NHS Test and Trace app.

  • contain – working with local authorities to identify outbreaks and to take coordinated action to contain them. Information that we collect

The personal data that is collected/processed for this purpose includes full name, date of birth, home address, NHS number, phone numbers, email address, gender, vehicle registration number (if booking a drive in testing appointment), job title, postcode district, passenger journey details, health data (such as test results), name and contact details of people you have been in close contact with, data revealing racial or ethnic origin, genetic data, and whether you are clinically vulnerable or require additional support.

How will my information be used

Personal data is used for:

  • controlling the spread of coronavirus and tracing the contacts of people who test positive; assessing the effective of these processes

  • providing care and support if you report symptoms, receive a positive test result or are identified as having contact with a person who has tested positive for coronavirus

  • self-isolation support and enforcement

  • ensuring that disruption to social life and the impact on the UK economy are minimised, with data being shared as necessary

  • to provide improved diagnosis and therapeutics in response to COVID-19

  • where applicable, to comply with the requirements of the Freedom of Information Act 2000, the Environmental Information Regulations 2004, and the Data Protection Act 2018

How your information will be shared

Personal data is shared to help operate all elements of the service. For example, this may include NHS Digital, local authorities, devolved administrations, the Home Office, and travel operators with countries you have travelled to.

A full list of all recipients and their role is included in the full Test and Trace privacy notice.

Lawful basis for processing your personal data

Due to the scope and nature of the data collected, the retention of data is variable. In all aspects of records management and data retention, we will comply with the relevant standards, public records guidance and data protection law.

How long we keep information about you

Due to the scope and nature of the data collected within the NHS Test and Trace service the retention of data is variable, from 21 days for venue customer logs, to 8 years for aspects of public health COVID-19 infection control. In all aspects of records management and data retention, NHS Test and Trace will comply with the relevant standards, public records guidance and data protection law.

Personal data protection and storage

We handle your personal data in accordance with adequate and reasonable procedures and technologies in order to maintain and protect its security, availability, confidentiality and integrity, and prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.

International data transfers

Personal data may be shared with the World Health Organization (WHO) as part of an international co-ordinated response to the COVID-19 pandemic. These transfers of personal data are made under Article 49(1)(d) of the General Data Protection Regulation – where we need to make the restricted transfer for important reasons of public interest.

Your rights

By law, you have several rights in relation to your personal data, such as the right to access information held about you. Your rights, their applicability, and how they can be actioned are explained in this privacy notice.

Security

We use appropriate technical, organisational and administrative security measures to protect any information. This is overseen by our Chief Information Security Officer. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level.

Automated decision making or profiling

DHSC considers that any automated decision making is authorised by law, specifically section 2A of the NHS Act (2006) which permits the Secretary of State to take such steps as he considers appropriate for the purpose of protecting public health.

Changes to this policy

We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on GOV.UK.