Guidance

Antibody testing for coronavirus: privacy information

Updated 29 January 2024

This guidance was withdrawn on

This content is now available at COVID-19: guidance and support.

Applies to England

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/coronavirus-covid-19-testing-privacy-information/antibody-testing-for-coronavirus-privacy-information

Introduction

The UK government is delivering a coronavirus (COVID-19) testing programme, which is made up of the following elements:

  • testing frontline workers and seriously ill patients
  • testing to see if you currently have COVID-19
  • testing to see if you have COVID-19 antibodies
  • monitoring the spread and development of COVID-19

This notice focuses on home antibody testing for COVID-19. An antibody test is a blood test to check if you’ve had COVID-19 before or been vaccinated.

The antibody test is also being offered as part of the COVID-19 polymerase chain reaction (PCR) testing journey. If you receive a positive COVID-19 PCR test result, you can choose to take an antibody test.

Your blood sample is analysed in a laboratory.

Find out more about antibody testing.

More details on the test can also be found in Annexe 1 below.

The test is completely voluntary. You can choose not to complete the test at any point, but you are encouraged to take it if you have been invited to order a test kit. If you do take the test, please carefully follow the instructions provided.

An antibody test can tell you if it’s likely you’ve had COVID-19 before or been vaccinated. But it does not work for everyone, as some people who’ve had the virus do not have antibodies. An antibody test does not tell you:

  • if you’re immune to COVID-19
  • if you can or cannot spread the virus to other people

The test kit comes with instructions on how to use it. Once you have taken the test, your sample will be analysed in a laboratory and you will be informed of the result (positive, negative or failed). If you get a positive antibody test result (indicating you have COVID-19 antibodies), you will still need to follow the same social distancing advice as everyone else.

You will be given advice on any next steps that you should take following your result.

The purpose of the testing and associated data collection is:

1) Operational:

  • to be able to deliver the testing service
  • to monitor and improve the delivery of the testing service

2) Personal health information:

  • to inform the individual of their antibody status
  • to add the antibody test result to the GP record

3) Pandemic response:

  • to inform policy in response to the pandemic
  • to inform the operational response to the pandemic (for example, local outbreaks)
  • to share the data for research, including use of the residual sample for further analysis within UKHSA

Data controller

The overall testing programme has been commissioned by UKHSA). UKHSA decides what information is required and how it needs to be used.

UKHSA has commissioned the COVID-19 testing programme on behalf of the UK and will be data controller for the purposes of Data Protection legislation. Once the test results have been collated UKHSA will remain the controller for the data of English residents. The governments of Wales, Scotland and Northern Ireland may have also requested (under section 255 of the Health and Social Care Act 2012) that NHS Digital collate relevant test results data for their residents, to be sent to a named organisation in their country to help their response to coronavirus (Public Health Wales, NHS National Services Scotland and Public Health Agency Northern Ireland), who will be the controllers of their respective data.

Other organisations will also carry out parts of the COVID-19 testing programme on behalf of UKHSA, but can only act on instructions provided to them by UKHSA. These organisations are known as data processors. Each organisation will require a different level of information about you, but all will use the minimum necessary to do what they are required to by the controller.

What personal data we collect

If you request your antibody test on the GOV.UK website or are volunteering to take an antibody test after a positive PCR, the following information is required in order to register and receive a home testing kit.

The details we may need from you include:

  • identity (name, date of birth, sex)
  • other personal details (postcode, ethnicity)

This data is necessary in order to link the test result to the subject’s GP record, and also to enable meaningful research and analysis

  • contact details (mobile phone number, email address)

This data is necessary to send out test kits and provide results.

  • whether you, or anyone you live with, has tested positive for COVID-19 before

This data is necessary to support research and analysis into which groups are vulnerable, and how the virus has spread.

  • occupation details

This data is necessary as the eligibility for the test will focus on different groups depending on the research or surveillance project. Certain sectors appear to be at a higher risk (for example, meat processing), and any vulnerability could have consequences in outbreak management (for example, schools).

How we use your information in the testing programme

For laboratory-based, after following the instructions provided, you will need to post your testing kit to a laboratory for analysis.

The laboratory will analyse the sample and provide your test result to National Pathology Exchange (NPEx). The lab does not receive any information that would allow them to personally identify you. They only get a Specimen ID from the test kit, and then they attach the result to that Specimen ID.

NPEx will link your registration record with your test result and pass this information onto NHS Business Services Authority, who will inform you of your result by text and/or email. NPEx will also send results to NHS Digital (see Annexe 2 below), so they can collate data and information.

Purposes your data will be used for

A positive antibody test will not confer any privileges, certifications or exemptions from existing HM Government or devolved administration COVID-19 guidelines. You must still self-isolate in line with guidelines if you either:

  • come into contact with somebody who has COVID-19
  • test positive for COVID-19

UKHSA is the data controller for the following purposes:

  • confirming your request for a test
  • receiving and processing your test request (to send you your test kit)
  • confirming your results to you
  • undertaking quality assurance of the testing process (for example, clinical process assurance)
  • analysis to support operational decisions to improve the full end-to-end testing process, such as:
    • day-to-day operational use (for example, whether someone returned their test kit)
    • to inform test process improvements (for example, manage kit delivery times)
    • support logistics planning
  • for residents in England, sharing your results with NHS Digital to analyse data in relation to COVID-19
  • sharing results within UKHSA to help plan and respond to COVID-19
  • to invite you to engage with other services and programmes (for example, vaccination programmes, research trials)
  • UKHSA’s own research and analysis in order to inform public policy and response
  • to add the antibody test result to your GP record

Data processors and other recipients of your data

Organisations who use your data and information on behalf of a controller can only do so with clear instructions from the controller, and cannot use your data and information for any other purpose. Any use of information that is not covered by the instructions from the controller would be unlawful, unless the controller agrees and provides written permission to do this.

UKHSA has appointed data processors to carry out the following activities:

  • registration, and capture of information at the point of ordering a home test
  • verify your identity. We may use an agency, who will check your identity (this is not a credit check and does not affect your credit score)
  • overseeing the logistics of test kit deliveries
  • transporting and delivering kits
  • link your personal details (provided on registering for the test) to the test result
  • forward your test results, email address and phone number to NHS Business Services Authority (NHS BSA) to send you your test results.
  • receive data to enable your results to be communicated back to you by SMS (text) and email, along with supporting information

Services on behalf of UKHSA may be provided by different organisations in different regions and a full list of data processors can be found in Annexe 2 below.

We may need to share your personal data if we are required to do so by law.

Data retention

Your information will be stored in line with the Records Management Code of Practice for Health and Social Care 2020.

Data storage

Information that identifies you will be stored securely, and processed in, the UK and Ireland. Information that does not, and cannot, identify you may be stored and processed outside of this area (for example, information purely about the number of tests conducted, or the number of outcomes from tests).

DHSC’s legal basis for processing your personal data is:

  • UK GDPR Article 6 (1) (e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • UK GDPR Article 9 (2) (h) – the processing is necessary for the management of health/social care systems or services
    • DPA 2018 – Schedule 1, Part 1, (2) (2) (f)
  • UK GDPR Article 9 (2) (i) – the processing is necessary for reasons of public interest in the area of public health
    • DPA 2018 – Schedule 1, Part 1, (3) – Health or social care purposes

Your rights as a data subject

By law, you have a number of rights as a data subject and this testing programme does not take away or reduce these rights.

You have the right to:

  • ask for a copy of any information we hold about you
  • ask for any information we hold about you (for example demographic information) to be changed if it is inaccurate
  • ask us to consider restricting our use of your information, although this is not an absolute right and we may need to continue to use your information in the interests of public health – we will tell you why if this is the case
  • object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
  • delete any of your information or sample held, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
  • ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority in another country
  • ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority both in the UK and in other countries, but also to your private health provider (your record in a machine readable format will be provided to you)

You can exercise any of your rights by contacting us at informationrights@ukhsa.gov.uk

Once we receive your request, members of our Data Protection team will endeavour to get back to you as soon as possible to confirm receipt.

If you’re unhappy or wish to complain about how your personal information is used by the UK Health Security Agency (UKHSA) you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.

You can contact the DHSC’s Data Protection Officer at data_protection@dhsc.gov.uk or by writing to:

Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU

If you make a request, we have one month to respond to you.

If you are unhappy or wish to complain about how your personal data is used as part of this programme, you should contact DHSC in the first instance to resolve your issue. DHSC may have to work with partner organisations to resolve your complaint.

If you are still not satisfied, you can complain to the Information Commissioner’s Office.

Patients living in Wales, Scotland or Northern Ireland

If you live in Wales, Scotland or Northern Ireland, further information about how your government will use your information (which is specific to each country) can be found here:

Annexe 1: types of antibody tests

There are different types of antibody tests to check if you have had the virus or been vaccinated. Make sure you check the message you receive to help you understand what your result means.

This test requires a sample of blood. This test can be conducted at home (or other non-hospital environment) and requires you to take your own sample of blood.

The home test kit contains all you need to take your test at home, as well as instructions on how to take the test.

This sample is then sent to a pathology laboratory for analysis. Once the results are known, you will be informed of the result.

Annexe 2: list of data processors

Each organisation that processes your information must provide you with information about how they do this, and this information will be limited to their role in the test programme. This should be publicly available on their website or can be requested from them. For example, if you want to know more about how NHS Digital uses your information, then you can visit their website.

Data processors can only act upon written instruction from a data controller, they cannot use data and information without permission of the data controller.


Name
Services they provide

Amazon Web Services (AWS)
Provide digital solution for ordering home test kits

Barcode Warehouse
Provide barcodes for test kits

Courier 1 (DHL)
Collect completed test kits from homes and deliver them to labs

Courier 2 (Royal Mail Group)
Collect completed test kits from homes and deliver them to labs

Courier 3 (Kuenhe + Nagel)
Collect completed test kits from homes and deliver them to labs

Deloitte
Send invitation text to groups of the general public as directed by UKHSA

Host and maintain the AWS platform that the Test Tracking System sits on

Manage the registration for prioritisation of test kit allocation and is responsible for holding this data and making it available to the NHS

EMIS
Receive test result data and add this to the GP record

Experience Lab
Provide user/market research for people who have undertaken tests

Kainos
Build the digital solution

Laboratory 1 (Gloucester)
Analyse sample from the completed test kit and share results with NPEx

Laboratory 2 (Surrey)
Analyse sample from the completed test kit and share results with NPEx

National Pathology Exchange (NPEx) – hosted by Calderdale and Huddersfield NHS Trust
Receive results from labs and link results to test registration details

Flow results data to NHS Business Services Authority

Flow results data to NHS Digital

Flow results to your GP record via the EMIS Keystone product

NHS Business Services Authority (NHS BSA)
Receive test results and notify individuals of their results

NHS Digital
Collect results data on behalf of the four home countries

Match patients to results if this cannot be achieved at NPEx

Provide information for organisations in response to COVID-19

Provide results data to the devolved administrations

Teleperformance
Provide call centre assistance

Thriva
Supply home test kits and collate results from labs (handling the systems integration for this)
Back to top