COVID-19 (Coronavirus) Local Contact Tracing Privacy Notice
Last updated: 22 October 2020
This privacy notice will be periodically updated to reflect any changes to COVID-19 contact tracing activities that involve use of personal data by the Council. This notice may be amended at any time, so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
This privacy notice explains how the Council uses your data for purposes related to contact tracing as part of the national response to COVID-19 (Coronavirus). The notice also provides information about your data protection rights.
The UK is currently experiencing a public health emergency as a result of the coronavirus (COVID-19) pandemic.
NHS Test and Trace is a national programme that aims to ensure that anyone who develops symptoms of coronavirus can be tested quickly and helps trace the recent close contacts of anyone who tests positive to notify them that they must self-isolate or offer support and advice to help stop the spread of the virus.
Public Health England has published privacy information for NHS Test and Trace.
The Council is helping NHS Test and Trace by contacting Nottinghamshire residents who have tested positive for the virus to ask them about their close contacts and places they have visited recently, and by identifying and contacting individuals who have been in recent close contact with residents who have tested positive.
Information will be collected by staff in the Council’s Customer Service Centre or Public Health teams, or by district councils and other organisations that are working with the Council as part of the community response to COVID-19.
Contact tracing is an important part of the Council’s Local Outbreak Control Plan. The Council will also use information provided by NHS Test and Trace or collected locally to provide advice on self-isolation, to identify potential locations of local outbreaks, and for other purposes where necessary to prevent danger to the health of the public as a result of the spread of infection or contamination with coronavirus or coronavirus disease.
Who will be using your data and how will we obtain it?
Nottinghamshire County Council will be the data controller for the personal data you provide to us.
We may also receive data from NHS Test and Trace, other local authorities, the police, and other organisations that are working with the Council on response to the virus, or from other individuals with whom you have been in close contact.
We may also receive data from employers, businesses, schools, and other venues where we think there may have been an outbreak or transmission of the virus.
What personal data do we use?
The Council may hold the following data related to individuals who have tested positive for COVID-19 or who have (or may have) been in close contact with someone who has tested positive for COVID-19:
- Full name
- Date of birth
- NHS number
- Home address and residence type including any link to a care home
- Contact details such as telephone numbers and email addresses
- Occupation/key worker type
- COVID-19 symptoms, including when they started and their nature
- Test centre and pillar
- Vulnerability group
- Shielded status
The Council will also hold records of telephone calls and other contacts with individuals made for the purposes of contact tracing, records of links between individuals, and records of venues and other locations where individuals may have been involved in transmission of the virus including the dates and times.
In some cases the Council may match your data with information from other locally held datasets, such as Council Tax and social care records, in order to improve the quality of contact tracing data and effectiveness of contact tracing processes and to help us identify people that might need additional support.
What types of special category personal data do we use?
The personal data held by the Council includes some ‘special category’ or sensitive data. Data related to the health or ethnicity of individuals is special category data.
Why do we use your data?
The Council will use your personal data to:
- contact individuals who have tested positive with COVID-19 to offer advice and gather information about other people they may have been in close contact with and who may have been infected with the virus;
- gather information from individuals who may have been in close contact with someone who has tested positive, to provide advice on how to seek help; and
- ensure individuals self-isolate when they are required to do so and assist in enforcement of regulations on self-isolation.
The Council will also use your personal data to:
- plan for, identify, manage and contain local outbreaks of the virus;
- support research into COVID-19, including analysis and modelling of the progress and development of the virus locally and nationally;
- enforce COVID-secure measures at settings and venues; and
support planning of services and actions in response to COVID-19.
Where possible the Council will aggregate or de-identify your data when it used for purposes that do not require you to be identifiable as an individual.
We will not share or use your information for other purposes unless we have a legal obligation to do so.
What is the legal basis that allows us to use your data?
The Council’s processing of personal data for the purposes described above is on the lawful basis of public task in Article 6(1)(e) in the General Data Protection Regulation (GDPR): processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority”.
The Council’s processing of health information and other special category data for those purposes is based on the condition in Article 9(2)(i) of GDPR: processing is “necessary for reasons of public interest in the area of public health”, as supplemented by Schedule1 Part 1 (3) of the Data Protection Act 2018.
Other lawful bases such as legal obligation may also apply in some situations.
Directions from the Secretary of State under Regulation 3 (4) in the Health Service (Control of Patient Information) Regulations 2002 create an exception to the common law duty of confidentiality that would otherwise restrict sharing of confidential patient information for purposes unrelated to direct care.
Who may we share your data with?
The Council will share your data with NHS Test and Trace. We will also share your data with Nottingham City Council and other local authorities in Nottinghamshire when necessary to ensure a co-ordinated local response to COVID-19.
We may also share your data with NHS organisations, universities, the MOD, and other external organisations including employers when necessary for the purposes of contact tracing, response to local outbreaks, or to support research and analysis to better understand the spread of the virus.
We will ensure we only share your data with organisations that the Council trusts will comply with data protection law. Where possible the Council will aggregate or de-identify your data when it is shared for purposes that do not require you to be identifiable as an individual.
In some circumstances, where we are under a legal obligation to do so or where otherwise necessary, the Council may share your data with the police for purposes of enforcing regulations on self-isolation and other legal requirements related to COVID-19.
How long is your data kept for?
We will only keep your personal data for as long as is necessary for the purposes for which we are processing it, unless we are under a legal obligation or have another legitimate reason for keeping it longer.
It is not possible at this stage to estimate the duration of the pandemic or how long the Council may need to keep your data. We will take account of guidance from the Government to ensure a co-ordinated approach with other organisations.
We anticipate the Council will not need to retain data collected for the purposes of contact tracing beyond the period necessary for local involvement in response to COVID-19, if the same data has been shared with NHS Test and Trace. Public Health England’s privacy notice currently states that it will keep data related to individuals who test positive for COVID-19 for up to eight years and data related to close contacts for up to five years.
Personal data held by the Council will be securely deleted or destroyed once we no longer have a legitimate reason to keep it.
What rights do you have in relation to our use of your data?
You have a number of rights that you may exercise in relation to your personal data. Some of the rights do not apply automatically and may not be available in certain circumstances where a lawful exception applies.
You have a right to access your personal data. You can request a copy of the personal data that we hold about you and ask us to explain how we use your data.
You have a right to object to processing of your personal data. You have an absolute right to stop your data being used for direct marketing. In other cases where the right to object applies, we may be able to continue using your data if we have a compelling reason for doing so.
You have a right to request the restriction or suppression of your personal data.
You have a right to have your personal data erased, if we no longer have a legitimate use for it. This right is sometimes called the ‘right to be forgotten’.
You have a right to rectification of your personal data if the information we hold in relation to you is inaccurate or incomplete.
You have a right not to be subject to any decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. You can request human intervention or challenge any solely automated decision-making that significantly affects you.
If you would like to request access to your personal data or exercise any of your other data protection rights, please contact the County Council’s Complaints and Information Team:
Complaints and Information Team
Nottinghamshire County Council
- email: firstname.lastname@example.org
- telephone: 0300 500 80 80
Where can you get advice or make a complaint?
If you have questions about this privacy notice or about how we use your personal data, you can contact the Council’s Data Protection Officer (DPO) at:
Data Protection Officer
Nottinghamshire County Council
- email: DPO@nottscc.gov.uk
- telephone: 0115 8043800
You can seek advice and have the right to make a complaint to the Information Commissioner’s Office. The ICO is an independent body set up to uphold information rights in the UK. You can contact them through their website: www.ico.org.uk, or their helpline on 0303 123 1113, or in writing to:
Information Commissioner’s Office