Guidance

Workforce testing privacy notice

Published 11 February 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/covid-19-workforce-testing-privacy-notice/workforce-testing-privacy-notice

Introduction

On 1 October 2021, the UK Health Security Agency (UKHSA) was formed as an Executive Agency of the Department of Health and Social Care (DHSC) and combines many of the health protection activities previously undertaken by Public Health England (PHE) together with all of the activities of the NHS Test and Trace programme and the Joint Biosecurity Centre (JBC). The processing activities previously undertaken by these organisations and their data processors have not changed. Individual rights are not affected by this change.

UKHSA is responsible for planning, preventing and responding to external health threats, and providing intellectual, scientific and operational leadership at national and local level, as well as on the global stage. UKHSA will ensure the nation can respond quickly and at greater scale to deal with pandemics and future threats.

You can read more about what UKHSA does on our website. Our general privacy notice explains the personal data we collect and use to fulfil our remit. We have also published a separate privacy notice explaining how your personal data may be used as part of the response to the coronavirus (COVID-19) pandemic. DHSC is the data controller for the personal data we collect, store and use to fulfil our remit.

This workforce testing privacy notice provides you with information about how we use personal data for the COVID-19 workforce testing programme. It covers the collection and use of your personal data, from undertaking lateral flow workforce testing to providing the results to DHSC.

The personal data we collect and how it is used

As a critical part of our response to COVID-19, we collect and use personal data about the workforce of private organisations that provide frontline care. This is for the following purposes:

1. When you undertake a test, your employee number, name, date of birth and job title is shared with UKHSA to ensure that the necessary risk assessments are undertaken.

2. Your data enables UKHSA to produce a daily COVID-19 case report.

3. Your data enables UKHSA to support employers to cover loss of earnings during periods of self-isolation for those people working on test sites.

4. Your data helps to populate a national testing database.

5. Your data contributes to national and regional understanding of the spread of the virus.

6. Your data assists with workforce planning.

7. Your data helps DHSC to meet legal obligations to the ongoing health and welfare of the frontline care workforce.

Lawful basis for processing personal data

Workforce testing relies on the following lawful bases for processing your data, in accordance with the UK General Data Protection Regulation (UK GDPR):

GDPR Article 6(1)(e): ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

Special category data

GDPR Article 9(2)(h): ‘processing is for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.

GDPR Article 9(2)(i): ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’.

How this data will be used

The information will be uploaded to a national testing database managed on behalf of UKHSA by Deloitte UK.

Deloitte UK is a processor working under contract for UKHSA and can only process data for the purposes specified by UKHSA.

Results of tests will be returned directly to the person being tested within 72 hours.

UKHSA will use the information provided by the employers to validate and make payments to them. If you are required to self-isolate, you will be paid via your existing payroll by your employer.

How long this information will be retained

The information will be held for a maximum of 8 years to ensure that the health status of the individual staff member can be monitored, and appropriate action taken to protect that staff member and take measures to contain the spread of the pandemic.

Emails are deleted permanently by UKHSA as soon as possible while the attached forms are extracted from the emails and retained as per UKHSA retention schedule.

Your rights

Under data protection law, you have several rights over your personal data. These include your right to:

  • ask for access to personal data we hold about you
  • ask for personal data we hold about you (for example demographic information) to be changed if it is inaccurate
  • ask us to consider restricting our use of your personal data, although this is not an absolute right and we may need to continue to use your personal data in the interests of public health – we will tell you why if this is the case
  • object to us using any personal data we hold about you, although this is not an absolute right and we may need to continue to use your personal data – we will tell you why if this is the case
  • delete any personal data we hold about you, although this is not an absolute right and we may need to continue to
  • ask us, in appropriate circumstances, to transfer your personal data to a recognised health authority in another country
  • ask us, in appropriate circumstances, to transfer your personal data to a recognised health authority both in the UK and in other countries, but also to your private health provider (your record in a machine-readable format will be provided to you)

How to find out more or raise a concern

If you have any concerns about how we use and protect your personal data, you can contact DHSC’s Data Protection Officer at data_protection@dhsc.gov.uk

You can also write to:

Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London
SW1H 0EU

You also have the right to contact the Information Commissioner’s Office if you have any concerns about how we use and protect your personal data.

You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website or writing to the ICO at:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Back to top