Guidance

[Withdrawn] Privacy notice for use by independent health providers

Updated 18 August 2021

This guidance was withdrawn on 1 April 2022

Current information is available for ordering coronavirus (COVID-19) rapid lateral flow tests

Applies to England

Ownership of personal data

To enable the COVID-19 testing to be completed at [name of organisation], we need to process personal data, including the sharing of personal data where this is allowed under data protection legislation. [Name of organisation] is the data controller for the data required for the management of tests, implementing local arrangements in the event of a positive test and collecting details of who has received each test kit.

We will process personal data relating to users, under article 6.1(f) of the UK GDPR – it is necessary in the legitimate interest of the data controller. We will process special category personal data under the provisions of article 9.2(i) of the UK GDPR, and Part 1 of Schedule 1(3) of DPA 2018 where it is in the public interest on public health grounds to ensure we can minimise the spread of COVID in a timely manner and enable us to continue to deliver services as safely and securely as possible.

Ownership of personal data shared with DHSC

When you do your own testing at home, you must report the results online to DHSC and also tell the [name of organisation]. See reporting test results.

The Department for Health and Social Care (DHSC) is the data controller for the information that you provide to them about you and your test results. For more information about what DHSC do with your data see their privacy notice.

The [name of organisation] remains the data controller for the data we retain about you for the management of tests and implementing local arrangements in the event of a positive test. You can read our privacy notice on our website or you can request a copy is sent to you. This will help you understand how your personal data is used prior to taking a test.

Personal data involved

The following personal data is processed by the [name of organisation] in relation to your test:

• name
• unique code assigned to each individual test and which will become the primary reference number for the tests
• test result

Test kit log

The following personal data is collected from you by the [name of organisation] in relation to Self Test kits you are provided to use at home:

• first name, last name, telephone number and/or email address of test subject
• details of lot or batch number
• date of issue to user

For this test kit log the [name of organisation] is acting as a 'processor' for the DHSC, and this information will not be shared with DHSC.

How we store your personal information

The [name of organisation] will maintain the test kit log, which would contain your personal details (outlined above). The [name of organisation] test kit log, will not be shared with DHSC. This information will only be stored securely on locally managed systems with appropriate access controls implemented by [name of organisation] and will only be accessible to personnel involved in the management of tests and implementing local arrangements in the event of a positive test.

The [name of organisation] shall not keep the data contained in the test kit log for longer than 12 months from the date on which it is collected.

DHSC will retain information for up to 8 years.

Processing of personal data relating to positive test results

The [name of organisation] will use this information to enact its own COVID isolation and control processes while ensuring respect to personal privacy in line with our data protection responsibilities.

Processing of personal data relating to negative and void test results

The [name of organisation] will record a negative and void result for the purpose of stock controls of tests and general performance of the testing process.

Data sharing partners

The personal data associated with test results may be shared with:

• DHSC, PHE – to ensure that they can undertake the necessary Test and Trace activities and to conduct research and compile statistical information about Coronavirus
• local government to undertake local public health duties and to record and analyse local spreads

You can see a full list of recipients.

The [name of organisation] will not share its internal COVID-19 results register with DHSC.

Your rights

Under data protection law, you have rights including:

• your right of access – you have the right to ask us for copies of your personal information
• your right to rectification – you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
• your right to erasure – you have the right to ask us to erase your personal information in certain circumstances
• your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances
• your right to object to processing – you have the the right to object to the processing of your personal information in certain circumstances
• your right to data portability – you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at [insert email address, phone number and or postal address of organisation’s data protection officer] if you wish to make a request.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at [insert your organisation’s contact details for data protection queries].

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113