Guidance

Testing for coronavirus: privacy information – quick read

Updated 29 January 2024

This guidance was withdrawn on

This content is now available at COVID-19: guidance and support.

Applies to England

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/coronavirus-covid-19-testing-privacy-information/testing-for-coronavirus-privacy-information-quick-read--2

Introduction

This privacy notice is provided, as part of the testing division of the NHS Test and Trace Programme. It explains how personal data about you and others is collected, used, shared, stored, and disposed of. It also explains your legal rights relating to its use. This notice summarises the key points from the coronavirus (COVID-19) testing programme privacy notice as a summary for a quicker read.

The NHS Test and Trace service covers England. It works in collaboration with the devolved administrations to ensure a consistent and joined-up approach to testing, tracing and outbreak management across the UK.

Background to Test programme of the NHS Test and Trace service

The NHS Test and Trace service is led by the Department for Health and Social Care (‘DHSC’ or ‘the department’) which is the ‘data controller’ for personal data processed within the service.

The government has rolled out a COVID-19 testing programme, to which you have chosen to take a test. This test will confirm if you currently have coronavirus.

What personal data we collect

The personal data that is collected and processed to operate Test programme includes:

  • full name (which included first and last name)

  • date of birth

  • other household members

  • NHS number (for English residents only - only if you know it. Wales, Scotland and Northern Ireland residents may need to provide a different local identifier, which will be specified upon registering for a test)

  • employer details

  • test result status (whether positive more than 90 days ago)

  • NHS Login account identifier (if you access our services using your NHS login details)

  • vaccination status

  • date and details of COVID-19 Symptoms

  • home and delivery address (including postcode)

  • postcode district

  • NHS number,

  • national Insurance number

  • phone numbers

  • email address

  • gender

  • vehicle registration number (if booking a drive-in testing appointment)

  • job title

  • passenger journey details (such as recent travel history- whether you travelled overseas in the last 14 days and the country you spent most time in)

  • health data (such as your test results)

  • close contact details (the name and contact details of people you have been in close contact with)

  • data revealing racial or ethnic origin

  • genetic data

  • whether you are clinically vulnerable or require additional support

How your information will be used by the NHS Test and Trace service

DHSC as the controller of your personal data, will use it for the following purposes:

  • confirming the appointment to the test site
  • performing a QR code check at the test site
  • receiving and processing your test
  • returning your results to you
  • contacting you (if you test positive) as part of the government contact tracing programme
  • sharing your results with Welsh, Scottish and Northern Irish health bodies (if you live in that country) to inform local planning and responses to COVID-19
  • sharing results with Public Health England (if you live in England) to help plan and respond to COVID-19
  • sharing your vaccination status with Public Health England (if you live in England) to understand the effectiveness of COVID-19 vaccines, including their effectiveness against different strains of the COVID-19 virus, and, where appropriate, to ask you to do a repeat test and/or an antibody test
  • sharing your self-isolation status with your local authority (if you live in England) to verify any application you may have made for a self-isolation support payment
  • sharing your self-isolation status with your local authority (if you live in England), to enable them to provide support and guidance to you if you are self-isolating. If there is evidence to suggest you are not complying with the duty to self-isolate without reasonable justification, your local authority may pass this information on to local police to investigate further. This may lead to enforcement action being taken against you, which could include you being fined. Local authorities may also share data with third-party organisations such as charities for support purposes
  • sharing your self-isolation status with relevant police forces to support mandated self-isolation periods and any enforcement action that may result (if you live in England)
  • sharing your COVID-19 test result with your local hospital, if you are booked in for elective surgery (via your Summary Care Record). This only applies if you have taken a test and you have a Summary Care Record
  • sharing your results with NHS Digital to analyse data in relation to COVID-19 (for residents in England)
  • undertaking quality assurance of the testing process (for example, clinical process assurance)
  • instructing the data processors to share data for research purposes. The data processor will have appropriate data security to manage this data
  • monitoring the flow of test data across the NHS Test and Trace systems to ensure that the tests being submitted to laboratories flow across the systems and are processed – known as test flow monitoring. For analysis to support operational decisions to improve the full end-to-end testing process
  • contacting you to invite you for a survey to better understand motivation and behaviours related to LFD results reporting

A full breakdown of all the purpose to which your personal data would be used for is available

How your information will be shared by NHS Test and Trace

Personal data is shared with different recipients, who sometimes are processors for us, to help us operate all elements of the service. For example, this may include NHS Digital. Other recipients may need your personal data for their own purposes, such as local authorities, devolved administrations, the Home Office, and travel operators who may need such personal data to understand which countries you have travelled to, for contact tracing requirements or other lawful purposes.

A full list of all recipients and their role is available

Data processors and other recipients of your data

Organisations who use your data and information on behalf of a controller, can only do so with clear instructions from the controller and cannot use your data and information for any other purpose. Any use of information that is not covered by the instructions from the controller would be unlawful, unless the controller agrees and provides written permission to do this. DHSC have appointed data processors to carry out the following activities:

  • registration of your test
  • to schedule appointments and capture information at the point of testing
  • check your QR code on site
  • check your identity as part of part of ordering a home test (this is not a credit check and does not affect your credit score)
  • to oversee the logistics of test kit deliveries
  • link your personal details (provided on registering for the test) to the test result
  • forward your test results, email address and phone number to NHS Business Services Authority to send you your test results
  • receive data to enable your results and supporting information to be communicated back to you by text and email, along with supporting information
  • ensure your test data is being processed properly

Lawful basis for processing your personal data

Data protection law requires that we explain to you how the processing of your personal data is lawful. Each element of the Test and Trace programme has been assessed to ensure that it complies with both the UK Data Protection Act 2018 and, where applicable, the UK General Data Protection Regulation (UK GDPR).

The lawful basis for all elements of the Testing programme under the NHS Test and Trace service are stated in our detailed privacy notice.

How long we keep information about you

We will retain your personal data for up to 8 years, in accordance with the Records Management Code of Practice for Health and Social Care 2021, but will dispose of your data sooner if it’s appropriate to do so. For Welsh, Scottish and Northern Ireland residents, please see Residents living in Wales, Scotland or Northern Ireland for country-specific information on retention of records.

Your data will be stored and processed in the UK. Fully anonymous data, for example statistical data (which does not allow you to be identified), may be stored and processed outside of the UK.

Personal data protection and storage

We handle your personal data in accordance with adequate and reasonable procedures and technologies in order to maintain and protect its security, availability, confidentiality and integrity, and prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.

International data transfers

Personal data may be shared with the World Health Organization (WHO) as part of an international co-ordinated response to the COVID-19 pandemic. These transfers of personal data are made under Article 49(1)(d) of the General Data Protection Regulation – where we need to make the restricted transfer for important reasons of public interest.

Your rights

By law, you have several rights in relation to your personal data, such as the right to access information held about you. Your rights, their applicability, and how they can be actioned are explained in the detailed testing privacy notice.

Security

We use appropriate technical, organisational and administrative security measures to protect any information. This is overseen by our Chief Information Security Officer. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level within the DHSC, and also externally audited by third party assurance providers, and sometimes by the regulator (the Information Commissioner’s Office).

Automated decision making or profiling

DHSC considers that any automated decision making is authorised by law, specifically section 2A of the NHS Act (2006) which permits the Secretary of State to take such steps as he considers appropriate for the purpose of protecting public health.

Changes to this policy

We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on GOV.UK.

Residents in Wales, Scotland and Northern Ireland

If you live in Wales, Scotland or Northern Ireland, further information about how your government will use your information (which is specific to each country) can be found here:

The privacy notice has 8 annexes.

Back to top