Coronavirus Test and Trace Privacy Notice
Countess Anne School – September 2020
The development of the NHS Test and Trace scheme is a key part of the government’s plan to manage Coronavirus. As a private individual, compliance with the scheme may be optional, so that an individual cannot be forced to provide details when visiting some types of establishments. However, schools are public authorities and have a legal duty to protect and promote the welfare of pupils, as well as a duty of care to staff. We are required to manage confirmed cases of coronavirus (COVID-19) amongst the school community to contain any outbreak by engaging with the NHS Test and Trace process and by following local health protection team advice.
If a person in a school has COVID-19 or symptoms of the virus they will be sent home, as will other people in school who have had contact with this individual and who may be at risk. In a school setting, it is unlikely that any one individual will know the details of others around them who may have been affected. It is only the school that will have that data. We would notify individuals about a risk, and in many instances that will be sufficient.
However, the Department for Education guidance says:
‘As part of the national test and trace programme, if other cases are detected within the child or young person’s cohort or in the wider education or childcare setting, Public Health England’s local Health Protection Teams will conduct a rapid investigation and will advise schools and other settings on the most appropriate action to take.’
If a case or suspected case of Coronavirus arises in our school then it may be necessary for us to share contact data of employees, pupils/students, contractors or visitors with NHS Test and Trace workers in order to make the process as effective as possible. Although at no point will we share data without a sound legal basis, in this situation it is not a matter of giving consent to share data, as there is a Public Duty to do so. This data will usually only consist of names and contact details, e.g. email address and/or telephone number.
We will therefore be sharing data on the basis that this is a Public Duty and, in the case of any health data, that it is necessary for the public interest, as set out below. It will only be used and retained in line with national guidelines and the applicable data protection laws. Where data needs to be shared we will:
- only share data with the relevant authorities
- verify the identity of persons requesting personal data
- limit the data shared to the minimum necessary
- ensure the data is kept secure, and only share via secure methods
- keep a record of the data shared, under the strictest confidence
- notify any individuals whose data has been shared (where possible)
NHS Test and Trace and the Law
The law on protecting personally identifiable information, known as the General Data Protection Regulation (GDPR), allows Public Health England to use the personal information collected by NHS Test and Trace. The section of the GDPR that applies is:
Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
As information about health is a special category of personal information, a further section of the GDPR applies:
Article 9(2)(i) – ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare’
Public Health England also has special permission from the Secretary of State for Health and Social Care to use personally identifiable information without people’s consent where this is in the public interest. This is known as ‘Section 251’ approval and includes the use of the information collected by NHS Test and Trace to help protect the public from coronavirus. The part of the law that applies here is Section 251 of the National Health Service Act 2006 and the associated Health Service (Control of Patient Information) Regulations 2002.
The privacy notice for the service can be found here:
Rights of Data Subjects in relation to their personal data
Any data subject has the right to request access to personal data that we hold about them. To make a request for access to their personal data, individuals should contact our DPO.
Individuals also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with our DPO in the first instance. You can also contact the Information Commissioner’s Office, if necessary, at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact:
Zac Egau – Data Protection Officer:
This Privacy Notice should be read alongside the other GDPR and Data Protection documents on our website.
This page is awaiting content