Guidance

Test and Trace Support Payment scheme privacy notice

Updated 7 September 2021

Applies to England

© Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/test-and-trace-support-payment-scheme-privacy-notice/test-and-trace-support-payment-scheme-privacy-notice

On 20 September 2020, the government announced a new package of measures to support and enforce self-isolation. As part of this, from 12 October 2020, a one-off support payment of £500 or access to a discretionary fund has been made available for eligible individuals to help them meet self-isolation requirements. See more information about this scheme.

For those applying, appropriate personal data will be processed to assess whether they are eligible to receive financial support, and if so, to provide a payment to them. This privacy notice sets out the personal data used, how it is used, and why it is used when someone applies for this support.

Data controller

The Department of Health and Social Care (DHSC) is the data controller for the purposes of providing Test and Trace data to help validate a claim and to confirm if the applicant has been told to self-isolate.

The local authorities who process applications for support are the data controller for the purposes of assessing the applicant’s eligibility, administering and making payments under the Test and Trace Support Payment scheme.

New package to support self-isolation

You may be entitled to financial support during your self-isolation period if both the following are true:

  • you’ve been told by the NHS to self-isolate – either because you’ve tested positive for COVID-19 or you’ve been in contact with someone who has tested positive
  • you’re not exempt from self-isolation

If you’re the legal parent or guardian living in the same household as a child aged 15 or under who attends an education or childcare setting or someone aged 25 or under who has additional support needs, you may be entitled to some financial support during their self-isolation period.

Self-isolation payments

People who are eligible will receive a £500 lump sum Test and Trace Support Payment or discretionary payment to remain at home to help stop the spread of the virus.

Categories of personal data we collect and process

When completing an application for a Test and Trace Support Payment, an individual may be asked to provide the following information:

  • full name
  • full residential address
  • contact details (for example, an email address or phone number)
  • proxy applicant details (as above where you may nominate someone else to complete this application on your behalf or where you may be completing the application as a parent or guardian)
  • employer name and address (where applicable)
  • Contact Tracing ID, sometimes referred to as a ‘CTAS number’ the unique reference you will be given by NHS Test and Trace to self-isolate – where applicable)
  • letter of self-isolation requirement from an education or childcare setting and/or an education, health and care plan (where applicable)
  • bank account details
  • National Insurance Number
  • proof of self-employment, for example recent business bank statement (within the last 2 months), most recent set of accounts or evidence of self-assessment
  • vaccination status

Source and categories of personal data

The NHS Test and Trace Service will confirm if an individual has either tested positive for COVID-19 or been in close contact with someone who has tested positive for COVID-19 and is required to self-isolate as a result. As this data is related to an individual’s health it is referred to as ‘special category data’.

The individual applicant or their nominated representative will also provide the relevant personal data referenced above in relation to an application for a Test and Trace Support Payment.

What the personal data will be used for

The local authorities who process applications for support will carry out checks and potentially share data with the NHS Test and Trace Service, the Department for Work and Pensions (DWP) and Her Majesty’s Revenue & Customs (HMRC) for verification purposes.

Where an application has been made to help support a child’s self-isolation requirement, local authorities may verify this with the relevant education or childcare setting.

Where applicable, employers may also be contacted and asked to provide further information to help validate an application.

Certain information will be provided to HMRC in relation to any payments made, as Test and Trace Support Payment scheme payments are subject to tax.

Individuals who are self-employed will need to declare any payment on their self-assessment tax return.

Information relating to applications will be shared between DHSC and local authorities to help understand public health implications, support anti-fraud checks by validating the payment bank account details, and to determine how well the scheme is performing.

Local authorities may use Test and Trace Support Payment application data to carry out wider benefit accuracy checks, but only where they have a valid lawful basis for doing so.

Our lawful basis for processing the personal data

There must be a lawful basis to process an individual’s personal data. The lawful basis in the processing undertaken in assessing eligibility for, and in making any self-isolation payments is based on a legal obligation.

When using personal data to confirm that an individual is eligible for a Test and Trace Support Payment, the sections of the law that apply are:

  • GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare;
  • Data Protection Act 2018 Schedule 1 Part 1 (3) – public health purposes

Separately, special permission from the Secretary of State for Health and Social Care is in place to use confidential patient information without people’s explicit consent for the purposes of diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases and other risks to public health.

This is known as a ‘section 251’ approval and includes, for example, using an individual’s test results if they test positive for COVID-19 to start the contact-tracing process.

The part of the law that applies here is section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.

See more information on this in the NHS Contact Tracing Privacy Notice.

Data processors and other recipients of the data

The recipients with which the personal data may be shared are as follows:

  • DWP for application validation
  • HMRC for tax purposes
  • employer for verification checks purposes (where applicable)
  • TransUnion UK who carry out a validation check on the payment account number and sort code

The local authorities administering the Test and Trace Support Payment scheme may use third parties to help them with certain aspects of the processing, such as cloud storage providers or website support.

Details of any such data processors will be listed in the authorities’ data protection notice, usually available on their website.

International data transfers and storage

No personal data will be transferred or processed outside of the European Economic Area (EEA).

Personal data disposal and retention

For the personal data processed by the DHSC, your information will be stored in line with the Records Management Code of Practice for Health and Social Care 2016. This means your personal data may be retained for up to 8 years before being securely disposed of.

Local authorities will only retain your personal data for as long as it is needed for the purposes of the COVID-19 emergency, and for audit and payment purposes.

Each data controller will publish more specific information in relation to data retention periods on their websites, and these should be consulted accordingly.

Cookies

Cookies are small text files that are placed on your browser. See how we use cookies.

Your rights as a data subject

By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the UK General Data Protection Regulation and the UK Data Protection Act 2018 applies.

These rights are:

  • the right to get copies of information – individuals have the right to ask for a copy of any information about them that is used
  • the right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected
  • the right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used
  • the right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
  • the right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case

Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact data_protection@dhsc.gov.uk in the first instance or write to:

Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London
SW1H 0EU

Anyone who is still not satisfied can complain to the Information Commissioners Office. Their website address is www.ico.org.uk and their postal address is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Security

Appropriate technical, organisational and administrative security measures in line with regulatory guidelines are used to protect any information held from loss, misuse, and unauthorised access, disclosure, alteration and destruction. Written procedures and policies are in place which are regularly audited, and the audits are reviewed at senior level.

Automated decision making or profiling

No decision will be made about individuals solely on the basis of automated decision making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.

Changes to this policy

This privacy notice is kept under regular review and was last updated on 24 August 2021.

Back to top