To support NHS Test and Trace in England, some organisations in certain sectors of the economy can volunteer to collect the details, and maintain records, of staff, customers and visitors on their premises. Participation in this scheme for both businesses and individuals is voluntary.
This privacy information is concerned with the processing of this personal data by the Department of Health and Social Care (DHSC) from the point that it is voluntarily shared by the relevant venue/establishment.
The privacy information for the initial collection and retention of that data by the venue/establishment is not the subject of this notice and should be available separately from the venue/establishment in question.
The purpose of DHSC's processing will be to facilitate NHS Test and Trace in conducting contact tracing. This may be necessary in the event that an individual, who is present in a place at the same time as you, tests positive for coronavirus. NHS Test and Trace may then contact you to provide appropriate advice.
NHS Test and Trace is a key part of the country's ongoing COVID-19 response and is run by DHSC. It includes dedicated contact-tracing staff working at national level under the supervision of Public Health England (PHE) and local public health experts who manage more complex cases. Local public health experts include both PHE health protection teams and local authority public health staff.
By maintaining records of staff, customers and visitors (and sharing these with NHS Test and Trace where requested) this can help to identify people who may have been exposed to the virus.
The more rapidly and accurately we can identify people who may have been exposed to the virus and, if necessary, ask them to self-isolate, the more effectively we can break the chains of COVID-19 transmission.
The venue/establishment will be a data controller for the data obtained at the point the information is collected from the individual. The venue will be responsible for compliance with data protection legislation for the period of time it holds the information. Its legal basis for collecting this information is covered by General Data Protection Regulation (GDPR) Article 6(1)(f): legitimate interests.
DHSC will be the data controller for the data at the point that it receives the data from the venue/establishment (which will be to start contact-tracing activities).
You may be asked to provide some basic information and contact details to relevant venues/establishments that you attend. All venues and establishments that collect personal data for their own purposes should be able to provide you with information on how they use your information.
The venue/establishment will disclose your information to DHSC if you have agreed to share it with them. DHSC will collect your information directly from the venue/establishment.
The venue/establishment may be asked to provide the following:
In addition, if a person/group only interacts with one member of staff during their visit, the name of the assigned staff member will be recorded alongside that information.
DHSC will only request these records where it is necessary for running an effective NHS Test and Trace service. It might be necessary (for this purpose) either because:
Under these circumstances DHSC, through NHS Test and Trace, will contact the venue/establishment by phone or text and request that it shares specific information (that is, the contact details of individuals who were on the premises between specific times on a specific day). NHS Test and Trace will then conduct a contact-tracing exercise with a view to providing those individuals with appropriate advice.
DHSC is the data controller for the purpose of contact tracing, through PHE and local public health experts, having received the data from the venues/establishments.
Your data that is collected for NHS Test and Trace will be retained locally by the venue you have visited for 21 days after your visit, at which point it will be deleted or destroyed, unless the venue usually collects the data for other legitimate business purposes in accordance with the GDPR.
Where your data is passed to NHS Test and Trace in the case of a suspected outbreak, your information will be kept for up to 8 years, as part of the standard contact-tracing retention period set out by Public Health England (PHE).
Information collected as part of this contact-tracing initiative will be stored securely and lawfully by the organisations involved, and by NHS Test and Trace (if passed to them), in line with the requirements of the GDPR and Data Protection Act 2018.
DHSC's legal basis for processing your personal data is:
By law, you have a number of rights as a data subject and this collection of your information does not take away or reduce these rights.
You have a right to:
If you're unhappy or wish to complain about how your personal data is used as part of this programme, you should contact DHSC in the first instance to resolve your issue. DHSC may have to work with partner organisations to resolve your complaint.
If this is unsuccessful, you can also raise a complaint with the Information Commissioner's Office (ICO).