Guidance

COVID-19 privacy information

Updated 30 September 2021

About Public Health England

Public Health England (PHE) exists to protect and improve the nation’s health and wellbeing, and reduce health inequalities.

One of our main purposes for collecting and using personal information is to protect the public from communicable diseases. We are playing a key role in supporting national and local action to control and prevent the spread of coronavirus (COVID-19) in England.

This privacy notice explains the personal information we collect, use and share for this purpose. It explains what your rights are if we hold your personal information and how you can find out more or raise a concern.

Data controller

Public Health England is an executive agency of the government, sponsored by the Department Health and Social Care (DHSC). We are listed under the Department’s registration with the Information Commissioner’s Office.

We are the data controller for the personal information we use to help control and prevent the spread of coronavirus.

The information we collect

The types of personal information we may collect about you are:

  • demographic information – for example, we may collect your name, date of birth, sex, ethnic group, NHS number, address and postcode, occupation, and contact details such as your phone number and email address
  • health information – we may collect information about your symptoms, medical diagnoses and health risk factors related to coronavirus
  • treatment information – we may collect information about your hospital admissions, test results and treatments, including vaccinations, that you receive related to coronavirus

How we collect your information

We collect personal information in 3 main ways: directly from you, from the providers of health and care services, and from other organisations supporting the response to coronavirus in England.

Directly from you

We may ask you to provide or confirm your demographic information, information about your coronavirus symptoms, places you have visited, details of the people you have been in close contact with, and journey details and any travel companions if you have recently travelled to the UK.

From health and care providers

We may collect your demographic, health and treatment information from:

  • GPs and doctors – all doctors in England must inform us if you have been diagnosed with COVID-19
  • diagnostic laboratories – all NHS and private laboratories in England send us your results if you have been tested for coronavirus
  • hospitals – we collect your information if you have been admitted to hospital for treatment for COVID-19

From other organisations

We may collect your demographic, health and treatment information from:

  • NHS Digital – we ask NHS Digital to help fill in any gaps in the demographic information, such as missing telephone numbers, in the coronavirus test results and hospital admissions data we collect
  • NHS England – we receive your demographic information and COVID-19 vaccination history from NHS England
  • National Pathology Exchange and other test providers – we receive your demographic information and test results if you have been tested for coronavirus at a regional or mobile site or at home from the National Pathology Exchange, and from the providers of point of care tests
  • certain kinds of businesses and organisations – we may ask for your demographic information if you are a member of staff or a customer or visitor to a place that may be the location of a coronavirus outbreak
  • the Home Office – we receive the information you must record in the Public Health passenger locator form if you are travelling to the UK and staying in England
  • travel companies – we may ask your travel operator for your demographic information if you have travelled to the UK and were in close contact with someone with coronavirus symptoms during your journey
  • the Office for National Statistics (ONS) – we ask the ONS for information on deaths from COVID-19 in England

Whenever possible, we only collect information that does not directly identify you. But where we do need to collect your personal information we will only ask for the minimum we need for our work to help control and prevent the spread of coronavirus.

How we use your information

To identify cases

If you have been tested for coronavirus in hospital, at a regional, mobile or other test site, or at home, your demographic information and test results are sent to us either by the laboratory or point of care test provider that carried out the test or by the National Pathology Exchange.

If you are admitted to hospital with coronavirus symptoms or develop COVID-19 while you are an inpatient, your hospital will send us your demographic information and details of your diagnosis, treatment, underlying health conditions such as respiratory disease or diabetes, and other risk factors such as whether you are a healthcare worker.

The DHSC has published detailed privacy information about testing for coronavirus.

To trace contacts

Contact-tracing is a well-established public health practice used by health protection specialists across the world to control and prevent the spread of infectious disease.

To help with the increased scale of the contact-tracing needed to respond to coronavirus, we have developed the contact-tracing website. This website is an important part of the NHS test and trace service.

If you test positive for coronavirus, the demographic information from your test record is used to contact you to ask for information about the places you have visited and the people you have been in close contact with. This is so your contacts can be sent an alert to self-isolate or be tested if necessary. Your contacts are not told your identity when they are provided with an alert.

If your details have been provided to the NHS test and trace service by someone who has tested positive for coronavirus, you will be contacted by text, email or phone and provided with advice on the self-isolation measures you must take to keep yourself and others safe.

You can find a full description of how the NHS test and trace service works. You can also find stay at home guidance for households with possible or confirmed coronavirus infection, as well as guidance for people who are a close contact of, but do not live with, someone who has tested positive for coronavirus.

If you test positive for coronavirus or have been identified by NHS test and trace as a close contact of someone who has, you are required by law to self-isolate to stop the virus from spreading. You can find guidance on when and how to self-isolate. People on lower incomes who have been instructed to self-isolate but cannot work from home and have lost income as a result can apply for a self-isolation support payment. If you apply for this, we share information from the contact-tracing service with your local authority as part of their checks to ensure your eligibility.

If you are travelling to or through the UK, you must complete a Public Health passenger locator form. This collects information about your journey, the people you are travelling with and the address where you will be staying in the UK. This information will be used by us to contact you to provide public health advice if you are in close contact on your journey with another person who tests positive for coronavirus. We may also ask your travel company for your information if the details we have from the passenger locator form are incomplete. We may also use information from your passenger locator form as part of our checks to ensure that people travelling to the UK from a country, territory or island not on the travel corridors list are self-isolating on arrival unless they are exempt for work or other reasons. You can find further information about the passenger locator form and on how to self-isolate when you travel to the UK.

If the police receives a report that you may be breaking the self-isolation requirement, they may ask us to confirm if you were required to self-isolate and for what time period. We do not share the details of all people who have been instructed to self-isolate with the police – we only share information with them in response to specific requests about individuals who may be breaking the self-isolation duty.

To manage outbreaks

The process of identifying cases and tracing contacts sometimes shows that places such as care homes, workplaces, schools, places of worship and entertainment venues are locations where people are being infected with coronavirus. Rapid action is needed to control these outbreaks to help prevent the spread of the virus.

We analyse the information we collect on people with coronavirus and their contacts to identify potential outbreaks. If we believe you were infected after visiting a place at the centre of an outbreak, or if you have been identified as a close contact of someone who has been infected this way, we will share your personal information with your local authority.

Local authorities have a range of responsibilities for protecting the health of their residents, including the preparation of local outbreak plans. Their public health staff work alongside Public Health England’s local health protection teams to investigate local outbreaks. You may be contacted by an outbreak investigation team and provided with advice on self-isolation and testing. You may also be asked about your coronavirus symptoms and your close contacts to help further control the outbreak.

Some businesses and organisations operating in sectors where people spend a longer amount of time in one place and potentially come into close contact with others from outside their household are being asked by the government to keep a temporary record of their customers and visitors. If a pub, restaurant, hotel, hairdressers, entertainment venue, place of worship or similar location is believed to be the centre of an outbreak, the local outbreak investigation team will ask to see this record so they can contact you to provide public health advice if you were a customer, visitor or member of staff. We do not collect visitor logs unless a venue is involved in an outbreak.

You can find more in the guidance for businesses and organisations on maintaining records of their staff, customers and visitors to support the NHS test and trace service.

To understand the epidemiology of coronavirus

If you have been tested for coronavirus, we link your results to other information we collect about you related to coronavirus such as your symptoms, whether you have been admitted to hospital for treatment, and your outcomes. We do this to understand more about the impact of coronavirus on people’s health, both now and longer term.

If you are a close contact of someone who tests positive, we link the information collected about you by the NHS test and trace contact-tracing service with information about you if you are later tested for coronavirus. We do this to understand more about how coronavirus is spreading in the population.

If you’ve been vaccinated for COVID-19, we analyse the information collected about you by the NHS to help monitor the rollout of the vaccination programme across different groups in the population. We also use your information to monitor how effective the vaccination programme is in controlling the spread of infection.

We also use information from other sources, such as passenger locator forms, for purposes such as monitoring for cases of imported COVID-19 among people living in the same households as someone who has recently travelled to the UK.

The information we collect, link and analyse is used by us to better understand the epidemiology of the virus so that we can help to better control and prevent the spread of infection. We use this knowledge to:

  • provide you with information and advice about how to protect yourself and others
  • provide advice to the government on how to respond to the coronavirus pandemic
  • publish a range of reports and information tools to help the NHS, local authorities and other parts of government respond to the virus

The purposes we use your information for

The purposes we use your coronavirus-related information for are set out in our annual remit letter from the government. These include:

  • laboratory testing and genome sequencing to inform public health interventions
  • targeted contact-tracing and supporting the self-isolation duty
  • public health activity at major ports as required to respond to the outbreak
  • surveillance and modelling to inform action at national and local level
  • providing expert advice to the DHSC, other government departments and scientific advisory groups
  • supporting local forums and NHS regional hubs responsible for leading the multi-agency response at a local level
  • supporting and delivering evidence-based public health communications and guidance
  • monitoring the impact of social and behavioural interventions over time
  • identifying and implementing lessons from the management of the incident both during and after the outbreak and the longer-term public health impacts of the pandemic
  • research into coronavirus, including potentially being invited to be part of a research study or clinical trial

How we store and protect your information

Your personal information is protected by us in a number of ways.

It is stored on computer systems that have been tested to make sure they are secure and which are kept up-to-date to protect them from viruses and hacking. Where we share your personal information with other organisations, we only ever do so using secure computer systems or encrypted email.

We store your personal information in the UK only.

Your information used by us can only be seen by staff who have been specifically trained to protect your privacy. Strong controls are in place to make sure all these staff can only see the minimum amount of personal information they need to do their job.

Whenever possible, we only use your information in a form that does not directly identify you. For example, if you test positive for coronavirus, we need to use your name, date of birth and NHS number to link together your test results with information about any treatment you receive and your outcomes. But for most of the analyses we then do to monitor the epidemiology of coronavirus, we use information that does not directly identify you. For example, we replace your name and NHS number with pseudonyms and substitute your date of birth with age in years. We do this to help protect your confidentiality.

No information that could identify you will ever be published by us.

Who we share your information with

We may share your personal information with other organisations to support national and local action to control and prevent the spread of coronavirus.

If we do share your personal information, we only so where the law allows and we only share the minimum necessary amount of information.

With local authorities

Local authorities and mayoral and combined local authorities have responsibilities for protecting the health of their residents. We share information from the contact-tracing service with your local authority to help with tracing contacts, to support people who need help self-isolating and to provide support payments to eligible people on lower incomes who have been instructed to self-isolate.

We also share information on all positive tests for coronavirus with your local authority. This information includes your postcode but does not include other information that identifies you such as your name or date of birth.

You can find privacy information about the data your local authority collects and uses to prevent and control the spread of COVID-19 on its website.

With NHS Digital

NHS Digital provides information and technology services to the health and care system. It has been directed by the Secretary of State for Health and Social Care and NHS England to collect and analyse data relating to COVID-19 and develop and operate IT systems to deliver services to respond to COVID-19. We share the personal information we collect on coronavirus test results and hospital admissions for COVID-19 with NHS Digital. We also receive back from NHS Digital any information we need that is missing from these results, such as your ethnic group or telephone number.

You can find privacy information on the data NHS Digital collects and uses to support the government’s response to coronavirus.

With NHS England

NHS England is responsible for managing the health service in England. We share the personal information we collect on coronavirus test results and hospital admissions for COVID-19 with NHS England for it to use to help support the NHS response to coronavirus.

You can find privacy information on the data NHS England collects and uses related to coronavirus.

With the Department of Health and Social Care (DHSC)

The DHSC is the data controller for the NHS test and trace service. We share the personal information we collect through the contact-tracing service with the DHSC and data processors working on its behalf for it to use to provide the NHS test and trace service.

We also share information with the Joint Biosecurity Centre (JBC), which is part of the DHSC, for it to analyse to identify outbreaks of coronavirus and provide advice to local, regional, and national decision-makers to help them respond rapidly.

With researchers

We may share your personal information with university and other researchers, for example, so they can help us model the spread and impact of coronavirus. Unless you have consented to us sharing your personal information as part of a research study, the information we share is provided in a form that means the researchers cannot identify you. For example, we replace your name and NHS number with pseudonyms and substitute your date of birth with age in years to help protect your confidentiality.

With our data processors

We may share your personal information with organisations we have contracted to help us respond to coronavirus.

These organisations are known as data processors and are acting on our instructions. They are not allowed to use your personal information for any purposes other than those specified by us, they are not allowed to keep your information once their work for us has ended, and they must comply with strict data security and protection requirements when processing your information on our behalf.

For example, to support the NHS test and trace contact-tracing service, we share personal information with NHS Professionals, Serco UK and SITEL Group, which are providing staff to call the contacts of people who test positive and provide guidance on self-isolation. Other data processors include Amazon Web Services, which is providing the secure UK-based storage location for the contact-tracing service information, and Kainos, which is assisting with the operation of the contact-tracing website system. You can find more information in the privacy information for the NHS test and trace contact-tracing service.

With the police and the Home Office

We may share your personal information with the police to help them investigate reports of people who may be breaking the self-isolation requirement. The police may in turn share this information with the Crown Prosecution Service to decide if enforcement action is appropriate.

We may also share your information with the Home Office if you have recently travelled to the UK and, as part of our checks of people who are required to self-isolate, our contact tracers cannot contact you or you have not been self-isolating. This may lead to the Home Office taking further action, which could include you being fined.

Other sharing of your information

We may share your information in other ways to help control and prevent the spread of coronavirus. For example, as part of the UK’s obligations under the International Health Regulations, we may share your personal information with other countries if you test positive for coronavirus and have recently travelled internationally. This is help with international contact-tracing.

How long we keep your information

We will only keep your personal data for as long as we need it to help control and prevent the spread of coronavirus.

Most of the time, we will keep your information in accordance with the time periods specified in the Records Management Code of Practice for Health and Social Care 2016. For example, if you test positive for coronavirus, the personal information collected and used by the NHS test and trace contact-tracing service will be kept by us for 8 years, which is the standard retention period for general medical records.

As COVID-19 is a novel form of coronavirus infection and the natural history of the disease is unclear at present, we may need to keep your personal information for longer. If this is the case, we will explain how long we intend to keep your information and the reasons why.

Your rights over your information

Under data protection law, you have a number of rights over your personal information. You have the right to:

  • ask for a copy of any information we hold about you
  • ask for any information we hold about you that you think is inaccurate to be changed
  • ask us to restrict our use of your information, for example, where you think the information we are using is inaccurate
  • object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
  • delete any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
  • ask us not to use your information to make automated decisions about you without the involvement of one of our staff

You can exercise any of your rights by contacting us at:

Public Information Access Office
Public Health England
Wellington House
133-155 Waterloo Road
London SE1 8UG

Email: FOI@phe.gov.uk

You will be asked to provide proof of your identity so that we can be sure we only provide you with your personal information.

You will not be asked to pay a charge for exercising your rights. If you make a request, we will respond within one month.

The law on protecting personal information, known as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, allows us to use your personal information to help control and prevent the spread of coronavirus. We process both personal data and special categories of personal data, particularly data about your health and ethnic group, for this purpose.

The sections of the GDPR and the Data Protection Act that apply where we use personal information to identify cases, trace contacts, control local outbreaks, check whether people are self-isolating, confirm that someone is eligible for a self-isolation payment, and monitor the impact on public health of coronavirus are:

  • GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’
  • GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’
  • Data Protection Act Schedule 1 Part 1 (3) ‘public health’

Where personal data is shared with other countries for the purpose of international contact-tracing, the following GDPR derogation for specific situations also applies:

  • GDPR Article 49(1)(d) ‘the transfer is necessary for important reasons of public interest’

Where personal information from the contact-tracing service is provided to the police to investigate if someone is not self-isolating, the sections of the law that apply are:

  • GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
  • GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare’
  • Data Protection Act 2018 Schedule 1 Part 1 (3) ‘public health’
  • GDPR Article 10 ‘data relating to criminal convictions and offences’
  • Data Protection Act 2018 Schedule 1 Part 2 (6) ‘statutory etc. and government purposes’

Where we use personal information for coronavirus-related research, the sections of the law that apply are:

  • GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
  • GDPR Article 9(2)(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’
  • Data Protection Act 2018 Schedule 1 Part 1 (4) ‘research’

Our duty of confidentiality

We may need to use your confidential patient information such as your coronavirus test results without asking for your consent.

We have ‘section 251’ approval from the Secretary of State for Health and Social Care to do this for the purpose of diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases such as coronavirus.

The part of the law that applies here is section 251 of the National Health Service Act 2006 and regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.

Find out more or raise a concern

If you have any concerns about how we use and protect your personal information, you can contact our Data Protection Officer at dataprotectionofficer@phe.gov.uk or by writing to:

Data Protection Officer
c/o Public Information Access Office
Public Health England
4th Floor, Wellington House
133-155 Waterloo Road
London SE1 8UG

You also have the right to contact the Information Commissioner’s Office if you have any concerns about how we use and protect your personal information. You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website at www.ico.org.uk or writing to the ICO at:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

About this privacy information

The personal information we collect and use may change as the government’s response to coronavirus evolves so we may need to revise this notice. If we do, the publication date provided at the top of this notice will change.