Joint Privacy Notice

Important – Your Personal Information

Read our privacy notice below to find out how we’ll use and protect your personal information. We will only process your personal information or your child’s personal information in compliance with Data Protection Legislation.

Where possible, your or your child’s test results will be added to your medical record. Only your or your child’s GP and other authorised NHS staff, Public Health England, NHS Test and Trace staff and the local Health Protection Team can access your or your child’s test results. No-one else will be able to see your or your child’s personal test results.

Privacy Notice

The Department of Health and Social Care (DHSC) has commissioned the piloting of a coronavirus (COVID-19) testing programme (‘the Programme’) in Southampton.

This Privacy Notice explains how personal data (information about you or your child) collected as part of this Programme will be processed (collected, stored, used, and destroyed).

Data controllers and purposes for which your personal data will be used

At different points in the process, organisations have been commissioned to process your or your child’s personal data and may therefore have Data Controller status for the purposes of Data Protection legislation in deciding what information is required and how it needs to be used to deliver the Programme.

Each organisation will require a different level of information about you or your child, but all will use the minimum necessary to do what they are required to deliver their part of the Programme.

Data Controllers for the Programme responsible for looking after your or your child’s personal data and using it properly to deliver the Programme are:

  • The NHS (including University Hospital Southampton NHS Foundation Trust, Southampton Primary Care Limited, Southampton City Clinical Commissioning Group, NHS Test and Trace and the local Health Protection Team) for:
    • hosting the database on NHS secure servers which receives the registration data and test results for linkage to your or your child’s medical records
    • providing call centre assistance (test follow up and clinical enquiries)
    • analysing samples through an NHS-approved testing lab
    • sending out your or your child’s test results by text message to you
    • sharing your or your child’s test result data with your GP, the local Health Protection Team and NHS Test and Trace service if your or your child’s test result is positive to initiate contact tracing, and to other parts of the health and care system for monitoring and planning actions in response to COVID-19
    • gathering feedback to inform improvements that could be made to a full end-to-end testing process
  • GP surgeries – for:
    • linking test result data to your or your child’s GP record so they can plan what care you or your child needs
  • Southampton City Council (with advice from its Public Health Team) – for:
    • providing call centre assistance (general enquiries) and web chat service
    • registering participants and uploading data to the registration database
  • University of Southampton – for:
    • sending invitations to participate in the Programme to its employees and students
    • uploading data of participants to the registration database
    • fulfilment of test kits (printing address labels)
    • organisation of transport logistics (drop-off and pick-up of testing kits)
    • arranging for analysis of samples through an NHS-approved testing lab 
    • gathering feedback to inform improvements that could be made to a full end-to-end testing process
  • Schools (defined below) – for:
    • sending invitations to participate in the Programme to its employees and parents and guardians of pupils
    • sharing relevant personal data with University Hospital Southampton NHS Foundation Trust

When is personal data being collected?

We collect the data you provide us with when you have:

  • completed the registration form or your data is downloaded from the relevant school or University system
  • if you choose to ring up the enquiry call centre about your participation in the Programme so we can check your identity and help with your enquiry
  • taken a test producing a positive, inconclusive, or negative result

What personal data is being collected?

The details we may collect and process for you are:

  • first and last name
  • address, including postcode
  • mobile phone number
  • email address
  • date of birth
  • sex as registered at your GP
  • your test results (only accessible to you, and forming part of your medical record, by authorised NHS staff, including your GP, the NHS Track and Trace service and the local Health Protection Team to initiate contact tracing)
  • your GP surgery
  • your NHS Number
  • for students, your course details
  • for pupils, your parent or guardian’s name, your school and your class

How will my personal data be used?

Your details will be used to:

  • register you or your child and record your or your child’s participation in the Programme
  • match your or your child’s contact details with health data stored by the NHS
  • deliver test packs to you at your home address, if necessary
  • communicate with you about the Programme
  • contact you if you are the parent or guardian of someone under 16 who is participating in the Programme 
  • contact you with your test results by text message
  • contact you relating to a positive or inconclusive result to collect other medical information about your health relating to COVID-19
  • contact you to resolve any questions you might have about the Programme
  • phone you if you consent to being asked about your experiences on the Programme
  • phone you to gather feedback to inform improvements that could be made to a full end-to-end testing process

Where is my personal data stored?

Your data will be stored within the United Kingdom.

Is my personal data kept private and secure?

We have legal duties to keep information about you confidential. Strict rules apply to keep your information safe and comply with Data Protection Act 2018, the EU General Data Protection Regulation (GDPR) and organisational Data Protection policies.

The NHS database used to store your personal data linked with your health data is held securely on NHS servers and access to this information is tightly governed, in line with Data Protection requirements.

How long will my personal data be kept?

The information processed by the NHS is kept for as long as it is required to provide you with direct care and to support NHS initiatives to fight COVID-19. Information held for direct care purposes are stored in line with the Records Management Code of Practice for Health and Social Care 2016. This means such information will be held for up to 8 years before it is deleted. Any personal data gathered as part of this Programme for other purposes will be deleted at the end of the Programme.

What are my rights?

By law, you have a number of rights as a data subject and this testing programme does not take away or reduce these rights.

You have the right to contact the Data Controllers to ask for the following:

  • to be informed about the data held about you
  • to access the data held about you
  • to have the data held about you edited or updated where it is inaccurate or incomplete
  • to request that data held about you be erased
  • to request that the use of your data be restricted
  • to object to the use of your data

What is the lawful basis for collecting, storing, and using my data?

Data protection law requires us to have a valid legal reason (‘lawful basis’) to process and use your Personal data.

The NHS’s lawful basis for processing your personal data are:

  • GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – health or social care purposes

Other organisations involved in processing your data are doing so with an agreement in place with DHSC or the University of Southampton to provide that service, or with a lawful basis of their own.

The University’s lawful basis for processing your personal data for operational delivery of the Programme is legitimate interests.

The Schools (Mount Pleasant Junior (including students/staff based here who are registered at Springwell School), Maytree Infant, Swaythling Primary and Cantell School – all members of the Aspire Trust) lawful basis for processing your and your child’s personal data is GDPR Article 6(1)(e) – the processing is necessary for the performance of a task carried out in the public interest.

How can I find out more information or raise a complaint?

If you would like to raise a complaint about how your personal data is used as part of the Programme, you can phone the Enquiries team at: 0808 1962 282. Depending on your query, it will be forwarded to the relevant Data Controller to resolve your issue.

Please contact each Data Controller if you want to know more about their lawful bases for processing your personal data for their role in delivering the Programme. Links to each Data Controller’s privacy policy are below, which contain contact details for their Data Protection Officer.

Queries for the University of Southampton can also be sent direct to data.protection@soton.ac.uk. More details and the University’s Data Protection Policy can be found at: https://www.southampton.ac.uk/legalservices/what-we-do/data-protection-and-foi.page

Queries for Southampton City Council can be sent directly to dataprotection@southampton.gov.uk. More details and the Council’s Data Protection Policy can be found at www.southampton.gov.uk/privacy.

Queries for the Schools can be sent to the Chair of the Aspire Trust head@cantell.co.uk.

You may also complain to the Information Commissioner’s Office (ICO) if you believe that your personal data is handled in a way that is not lawful. See its website at ico.org.uk.