Privacy Policy

Swab Testing

Coronavirus Swab Testing: Privacy Information

Published September 2020

Introduction

The Coronavirus test will confirm whether you currently have COVID-19. This is so that you can:

  • take the right steps to look after yourself
  • protect others
  • know if you’re fit and well to return to work
  • potentially reduce the amount of time you have to self-isolate for

We strongly recommend that you inform your employer if you test positive for COVID-19 because they will need to take action to support you and manage any impact on the organisation (such as inviting others you work closely with to be tested). If there is reasonable evidence that you contracted COVID-19 from a work-related exposure your employer is obliged to report this to the Health and Safety Executive, as required by the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR).

Via this Surrey Heartlands process you will be invited for a self-administered test at a mobile testing site within Surrey Heartlands.

Taking a test is completely voluntary and you do not have to take it, but are encouraged to do so. You will be sent an email with a link to the Surrey COVID19 Testing Portal, where you will be asked to register for the swab test.  This will include providing personal details in order for the sample to be processed by the laboratory.  You will need to have access to a printer in order to download and print a test form to take with you to the testing site.  Without a printed copy of this form, you cannot carry out the swab test via the Surrey Heartlands process.

Once you have taken the test, your sample will be analysed in a laboratory and the result (detected, not detected, or not processed) will be available to you on the Surrey COVID 19 Testing portal, which you can access by logging on with the registration details sent to you at the start of the process.

If you’re resident in England, your test result will also be sent to a central database, along with other information relating to COVID-19, to enable organisations to respond to COVID-19. This database is held by NHSX (which is an organisation made up of NHS England and Department of Health and Social Care (DHSC) staff) and controlled by NHS England (on behalf of all UK countries). All information in this database is held securely and access to this information is tightly governed, in line with Data Protection requirements.

For residents in Wales, Scotland and Northern Ireland, your health bodies or national government have requested NHS Digital to collate test results for your country, so they can be sent to the relevant public health body in your country to aid their response to COVID-19.

How your data will be used

We will use the data you supply to arrange for you to receive a test at one of our testing sites.  The results of your test will be communicated to you and your GP Practice will be able to access the result should these be required by them for your care and treatment.

Your information may also be used for different purposes that are not directly related to your health and care. Wherever possible, this will be done using information that does not identify you (anonymous data). These include:

  • research into COVID-19 (including potentially being invited to be part of clinical trials)
  • planning of services or actions in response to COVID-19
  • monitoring the progress and development of COVID-19

Information provided by you, and collected about you, in relation to testing for COVID-19 will not be used for any purpose that is not linked to COVID-19, such as law enforcement or immigration services.

Whenever possible, information that does not directly identify you will be used for these purposes, but there may be times when it is necessary for your personal data to be used. Any releases of information that identify you will be lawful and the minimum necessary for that purpose.

NHS Digital is required, under law, by DHSC and NHS England to collect, analyse and share information and data relating to COVID-19, when this information is requested by other health and care organisations or researchers. This information may be collected from various health and care organisations and may be given to other health and care organisations responding to COVID-19.

Data Controller

NHS Surrey Heartlands Clinical Commissioning Group, on behalf of the Surrey Resilience Forum, have commissioned the Trustwide system for undertaking testing programme within Surrey.  The CCG is therefore the Data Controller of the data gathered during the coronavirus testing programme for the purposes of Data Protection legislation. The CCG decides what information is required and how it needs to be used.

NHS England are the Data Controller for data gathered during the testing programme once it has been transferred to them by the CCG for the purposes of undertaking national research.

What personal data we collect

The details we need from you to arrange testing and for the research are:

  • First and last name
  • Date of Birth
  • NHS Number
  • Email address
  • Phone number
  • Occupation
  • Service / Team
  • Work Location
  • Gender
  • Ethnicity
  • Previous Covid-19 infection results
  • Health data (including the results of your tests and whether you are suffering from certain symptoms)

Purposes your information will be used for

Your data will be used for the following purposes:

  • Arranging for you to receive COVID swab test
  • National and local research which will provide information on the prevalence of COVID-19 in different regions of the country and help us better understand how the disease spreads

What types of information we use

To allow us to undertake the activities above we will use different types of information, this includes:

  • Identifiable Personal Data
    • Personal Data (for example your name, contact details, or date of birth)
    • Special Categories of Personal Data (which includes data relating to ethnicity and data relating to physical health)
  • Non-Identifiable Personal Data – this includes ‘Pseudonymised Personal Data’ where personal data which could be used to identify you has been replaced with a pseudonym.

The data used for research will always be pseudonymised prior to sharing with NHS England.

Data Processors and other recipients of your data

Organisations who use your data and information on behalf of a Data Controller can only do so with clear instructions from them. They cannot use your data and information for any other purpose.

Any use of information that is not covered by the instructions from the Data Controller would be unlawful, unless the Data Controller agrees and provides written permission to do this.

The CCG have appointed Data Processors, as indicated below, to carry out these activities:

  • Supplier of the Trustwide system used to gathering data required to arrange testing – C&C Technology and Consulting Limited
  • Organisations involved in delivery of the Berkshire and Surrey Pathology Service, which will provide laboratories for the swab testing

Other recipients of your data may include:

  • The Department of Health and Social Care (DHSC)
  • NHS England
  • Organisations that undertake pseudonymisation of data on behalf of the CCG or NHS England

Legal basis

For processing data for testing and re-identification (if required to be sent to GP practices for direct care), the lawful basis under GDPR will be:

  • GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – health or social care purposes

The CCG’s official authority arises from the NHS Act 2006, Health & Social Care Act 2012, the Civil Contingencies Act, and the Coronavirus Act 2020. Power to arrange for provision of services or facilities that the CCG considers appropriate for the purposes of the health service (provided that the NHS CB does not have a duty to arrange for the provision of these services) that aim to secure improvements in physical and mental health, or in the prevention, diagnosis and treatment of illness, for the people for whom the CCG is responsible. The lawful basis will apply to authorised processors of the CCG.

Common Law Duty of Confidentiality expects that a duty of confidence is applied and that information should not be disclosed without the data subjects consent.

Your rights under Data Protection Act 2018 and GDPR

By law, you have a number of rights as a data subject, such as the right to access information held about you.

This testing programme does not take away or reduce these rights, so you can still request (for example), from the organisations named in this notice, copies of the information they hold about you.

If you are unhappy or wish to complain about how your information is used as part of this programme, you should contact the CCG in the first instance to resolve your issue – please see our website for further information on how to do this.

However you are entitled to also contact the Information Commissioner’s Office (ICO) if you have concerns about the way your information has been used and you can find their contact them by:

  • Visiting their website: ico.org.uk
  • Telephoning them on 0303 123 1113

Retention and storage of your information

The CCG holds records containing personal data for a limited amount of time and then securely destroys these when they are no longer required.  The CCG will ensure that records are held in accordance with the guidance and retention schedules included within the 2016 Records Management Code of Practice for Health and Social Care.  Please see our Records Management Policy for further information.

This means we will keep your personal information for up to 8 years before we dispose of it.

Information that identifies you will be stored securely, and processed in, the UK. Information that does not, and cannot, identify you may be stored and processed outside of the UK. For example, information purely about the number of tests conducted, or the number of outcomes from tests.

Data Protection Officer

Under data protection legislation the CCG is required to have a Data Protection Officer (DPO) and it is their role to:

  • Inform and advise the organisation and its employees about their obligations to comply with applicable data protection legislation;
  • Support and monitor compliance with applicable data protection legislation;

Be the first point of contact for individuals whose data is being processed.

The Data Protection Officer for the CCG is Daniel Lo Russo

Email: [email protected]

Changes

We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your data.

This version was last updated by the Deputy DPO on the 21 September 2020.

Antibody Testing

Coronavirus Antibody Testing: Privacy Information

Published June 2020

Introduction

An antibody test can tell someone whether they have had the virus that causes Covid-19 in the past, by analysing a blood sample.  A positive antibody test demonstrates that someone has developed antibodies to the virus. The presence of antibodies signals that the body has staged an immune response to the virus.

Covid-19 is a new disease, and our understanding of the body’s immune response to it is limited. We do not know, for example, how long an antibody response lasts, nor whether having antibodies means you can’t transmit the virus to others. Our understanding of the virus will grow as new scientific evidence and studies emerge.

How your data will be used

We will use the data you supply to arrange for you to receive antibody test at one of our testing sites.  The results of your test will be communicated to you and your employer. The results will not go on the employment record.  However, your GP Practice will be able to access the result should these be required by them for your care and treatment.

Data gathered during the antibody testing programme will also be securely transferred to a central database which is held and controlled by NHS England.  All information in this database is held securely, and access to this information is tightly governed, in line with Data Protection requirements.

The anonymised results from the testing programme will be used to undertake research which will provide information on the prevalence of COVID-19 in different regions of the country and help us better understand how the disease spreads.

Data Controller

NHS Surrey Heartlands Clinical Commissioning Group, on behalf of the Surrey Resilience Forum, have commissioned the Trustwide system for undertaking the antibody testing programme within Surrey.  The CCG is therefore the Data Controller of the data gathered during the antibody testing programme for the purposes of Data Protection legislation. The CCG decides what information is required and how it needs to be used.

NHS England are the Data Controller for data gathered during the antibody testing programme once it has been transferred to them by the CCG for the purposes of undertaking national research.

Other organisations will also support the delivery of the antibody testing programme and the related research but can only act on instructions provided to them by the CCG or NHS England. These organisations are known as Data Processors.

What personal data we collect

The details we need from you to arrange testing and for the research are:

  • First and last name
  • Date of Birth
  • NHS Number
  • Email address
  • Phone number
  • Occupation
  • Service / Team
  • Work Location
  • Gender
  • Ethnicity
  • Previous Covid-19 infection results
  • Health data (including the results of your tests and whether you are suffering from certain symptoms)

Purposes your information will be used for

Your data will be used for the following purposes:

  • Arranging for you to receive antibody testing
  • National and local research which will provide information on the prevalence of COVID-19 in different regions of the country and help us better understand how the disease spreads

What types of information we use

To allow us to undertake the activities above we will use different types of information, this includes:

  • Identifiable Personal Data
    • Personal Data (for example your name, contact details, or date of birth)
    • Special Categories of Personal Data (which includes data relating to ethnicity and data relating to physical health)
  • Non-Identifiable Personal Data – this includes ‘Pseudonymised Personal Data’ where personal data which could be used to identify you has been replaced with a pseudonym.

The data used for research will always be pseudonymised prior to sharing with NHS England.

Data Processors and other recipients of your data

Organisations who use your data and information on behalf of a Data Controller can only do so with clear instructions from them. They cannot use your data and information for any other purpose.

Any use of information that is not covered by the instructions from the Data Controller would be unlawful, unless the Data Controller agrees and provides written permission to do this.

The CCG have appointed Data Processors, as indicated below, to carry out these activities:

  • Supplier of the Trustwide system used to gathering data required to arrange testing – C&C Technology and Consulting Limited
  • Organisations involved in delivery of the Berkshire and Surrey Pathology Service, which will provide laboratories for the antibody testing

Other recipients of your data may include:

  • Your employer
  • The Department of Health and Social Care (DHSC)
  • NHS England
  • Organisations that undertake pseudonymisation of data on behalf of the CCG or NHS England

Legal basis

For processing data for testing and re-identification (if required to be sent to GP practices for direct care), the lawful basis under GDPR will be:

  • GDPR Article 6(1)(e)

the processing is necessary for the performance of    a task carried out in the public interest or in the exercise of official authority vested in the controller”

  • GDPR Article 9(2)(h)

“the processing is necessary for the provision of    medical or social care or treatment” is also met.

The CCG’s official authority arises from the NHS Act 2006, Health & Social Care Act 2012, the Civil Contingencies Act, and the Coronavirus Act 2020. The lawful basis will apply to authorised processors of the CCG.

Common Law Duty of Confidentiality expects that a duty of confidence is applied and that information should not be disclosed without the data subjects consent.

Research Data

The Secretary of State for Health and Social Care has issued a general notice under the Health Service Control of Patient Information Regulations 2002 (CPOI) to support the response to COVID-19. The notice requires NHS Trusts, Local Authorities and others to process confidential patient information (CPI) without consent for COVID-19 public health, surveillance and research purposes. The notice is currently in force until 30 September 2020 and provides a temporary legal basis to avoid a breach of confidentiality for COVID-19 purposes. At the time of expiry of the COPI notice, NHSE will apply for section 251 under the NHS Act 2006, for this activity.

The Health Research Authority (HRA) recommends that research organisations that are public authorities rely on public interest (Article 6(1)(e)as their legal basis. Explicit consent under the GDPR is not necessary for health and care research.

Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research.

Other organisations involved in processing your data will be doing so either with an agreement in place with the CCG or DHSC / NHS England.

Your rights under Data Protection Act 2018 and GDPR

By law, you have a number of rights as a data subject, such as the right to access information held about you.

This testing programme does not take away or reduce these rights, so you can still request (for example), from the organisations named in this notice, copies of the information they hold about you.

If you are unhappy or wish to complain about how your information is used as part of this programme, you should contact the CCG in the first instance to resolve your issue – please see our website for further information on how to do this.

However you are entitled to also contact the Information Commissioner’s Office (ICO) if you have concerns about the way your information has been used and you can find their contact them by:

  • Visiting their website: ico.org.uk
  • Telephoning them on 0303 123 1113

Retention and storage of your information

The CCG holds records containing personal data for a limited amount of time and then securely destroys these when they are no longer required.  The CCG will ensure that records are held in accordance with the guidance and retention schedules included within the 2016 Records Management Code of Practice for Health and Social Care.  Please see our Records Management Policy for further information.

This means we will keep your personal information for up to 8 years before we dispose of it.

Information that identifies you will be stored securely, and processed in, the UK. Information that does not, and cannot, identify you may be stored and processed outside of the UK. For example, information purely about the number of tests conducted, or the number of outcomes from tests.

Data Protection Officer

Under data protection legislation the CCG is required to have a Data Protection Officer (DPO) and it is their role to:

  • Inform and advise the organisation and its employees about their obligations to comply with applicable data protection legislation;
  • Support and monitor compliance with applicable data protection legislation;

Be the first point of contact for individuals whose data is being processed.

The Data Protection Officer for the CCG is Daniel Lo Russo

Email: [email protected]

Changes

We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your data.

This version was last updated by the Deputy DPO on the 16 June 2020.