Corporate report

[Withdrawn] Coronavirus (COVID-19) passenger privacy notice

Updated 26 May 2021

This was published under the 2019 to 2022 Johnson Conservative government

This corporate report was withdrawn on

Withdrawn as the use of the passenger locator form and pre-departure testing is not current government policy.

© Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/passenger-locator-form-privacy-notice/passenger-locator-form-privacy-notice

Why we collect your data

Due to the worldwide pandemic, caused by coronavirus (COVID-19), the UK government has taken measures to stop the spread and save lives. Your personal data is still protected by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

The passenger locator form (PLF) is part of that alongside Pre Departure Testing (PDT). The PLF is designed to track and trace those individuals who may have come into contact with another person who has, or goes on to develop, coronavirus. It is also used to monitor self-isolation of those individuals who have been abroad and returned to the UK and who are not exempt from self-isolation measures.

Your data captured through the PLF and PDT is collected by the Home Office (data controller) on behalf of the UK government. This privacy information notice explains how:

  • the Home Office may use your data, and disclose it to other organisations
  • these organisations may use this personal data to carry out their functions

We may use your data for the purposes of taking enforcement if there is a reasonable suspicion that a person is not self-isolating. Separately, we may collect and process your personal data to carry out enforcement if you fail to complete a PLF, or fail to supply a PDT negative test result, on arrival in the UK.

Your details may also be disclosed to and used by UK police forces (data controllers) where there is a reasonable suspicion that you are not self-isolating and enforcement action may ensue. This may involve the issuing of a FPN and prosecution.

Where you have to obtain a negative coronavirus (Covid 19) test (“PDT negative test result”), before departing on your journey to the UK, you will need to make that information available to the transport operator carrying you to the UK. Failure to do so can lead to the transport operator refusing you permission to travel.

We may collect and process your personal data to carry out enforcement if you fail to produce a PDT negative test result or evidence that you have completed a PLF. The information may be used and disclosed for enforcement purposes by Border Force and other enforcement agencies should it be necessary. It is an offence to present a false document.

How we protect your personal information

Your personal data will be processed securely. We do that by having systems and policies in place that limit access to your information and prevent unauthorised disclosure. In addition, we limit access to your personal data to staff, contractors and third parties who have appropriate security clearance and a genuine business need.

Who may have access to your data

Your personal data may be shared by the Home Office with UK Health Bodies (Data Controllers) and to carry out track and trace and where applicable with law enforcement agencies such as UK police forces and transport regulators. It may be shared with other government departments (this may include contractors) or agencies for matters that are not incompatible with the health purposes of the track, trace and enforcement of coronavirus in order to:

  • prevent danger to public health as a result of the spread of coronavirus
  • monitor the spread of infection or contamination with coronavirus
  • give effect to an international agreement to prevent the spread of coronavirus

We may share your personal data with other organisations to fulfil their functions, where there is a lawful basis to do so, such as law enforcement agencies (for example UK police forces) to enable enforcement activities related to coronavirus track and trace and prevention of its spreading. We may also share your personal data with transport regulators (Civil Aviation Authority, Maritime Coastguard Agency and the Office of Rail and Road), who may take enforcement action against the transport operators, who carried you to the UK.

How long we will keep your data

The Home Office will hold your personal data for 42 days. It may be held longer where the law allows us to and where your details are being used for related work, such as ongoing enforcement action.

UK health bodies may need to hold your personal data for differing periods, for example to monitor the spread of coronavirus and to prevent danger to public health as a result of coronavirus. For more information, please see the links to those bodies for the 4 countries of the UK set out further below.

UK police forces and other enforcement agencies may also have differing periods of retention if enforcement action is being taken. For more information please check the privacy section of the police force website in the area where you live or will be staying in the UK.

We are only allowed to use, gather and share personal information where we have an appropriate legal basis to do so under the General Data Protection Regulation (GDPR) or the Data Protection Act 2018.

We will only process your personal data where it is necessary to perform our legal and official functions. The legal basis for the processing of your data is Article 6(1)(e) of the GDPR – that is, that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

We may also process special categories of personal data on the basis of Article 9(2)(g) of the GDPR, where the processing is to further coronavirus measures which are necessary for reasons of substantial public interest.

We may also process your personal data under Part 3 (law enforcement processing) of the Data Protection Act 2018 and Article 10 of the GDPR, where it comprises personal data relating to criminal convictions and offences.

Transfers of personal data to other countries

The GDPR applies to all personal data within the European Union, but rights may be enforced, where applicable, in other parts of the world.

We may transfer personal data to authorities or organisations in countries outside the European Economic Area. When we do, this will be for specific purposes laid down in law.

When we do this, we seek to take appropriate steps to safeguard your information, for example by agreeing memoranda of understanding. We may rely on the derogation in Article 49(1)(d) of the GDPR where necessary and proportionate to do so with respect to the purpose of tackling coronavirus.

Contacting you using your information

In order to carry out test and trace functions, you may be contacted by UK health bodies by telephone on the numbers you have provided. This may include SMS text messaging. You may also be visited by law enforcement agencies if it is suspected that you are not self isolating or have breached a requirement in relation to coronavirus restrictions. You may be contacted in writing at your address, for example to issue a FPN or for related enforcement action.

Automated decision making

Your personal data will not be used to make any automated decisions that have a significant legal effect.

More Information on privacy

Your personal data is collected and used by the Home Office when the law allows us to and where it is necessary and proportionate to do so.

Read more about how the Home Office uses and shares personal data, including your data protection rights.

This personal data may be shared with UK health bodies. Read more details of how they will use your personal data, including your data protection rights:

UK police forces and other enforcement agencies may also process your personal data. For more information please check the relevant privacy section of the website of the police force in the area where you live or will be staying in the UK.

How to make a complaint

Due to the multi agency approach to the coronavirus pandemic, your personal data will be shared with the organisations as outlined above. Each of these will have their own data protection officer (DPO) and complaint process. For more detailed information on those organisations, the contact details for their DPO and your rights in respect of your personal data, please see the links to their privacy information notices above.

You also have the right to complain to the Information Commissioner’s Office about the way we handle your information or the exercise of your other rights under the GDPR or the Data Protection Act 2018.

Postal applications are not being processed because of coronavirus until further notice.

You can contact the Information Commissioner’s Office by telephone on 0303 123 1113.

Back to top