COVID-19 employees, staff and contractors Privacy Notice

COVID-19 testing Privacy Notice

We collect and process personal and special categories of personal data relating to our employees to manage COVID testing during COVID-19 response requirements.

The Department of Health and Social Care (DHSC) has commissioned the virus testing programme on behalf of the UK and will be Data Controller for the purposes of Data Protection legislation. They decide what information is required and how it needs to be used.

At different points in the process, other organisations may also have Data Controller status, depending on what they are doing with your information. The council will be a data controller in processing your information for this key worker testing.

The details we need from you are:

  • first and last name
  • date of birth
  • sex
  • mobile phone number
  • email address
  • address including postcode
  • vehicle registration number (if you are taking a test at a regional test site)
  • NHS Number (for English residents and if you know it)
  • National Insurance Number
  • other household members’ first and last names (as they may also be invited to test if they show signs of coronavirus; you can input up to 5 people)

The different testing methods will require different personal data. For example, when registering for a home test, you will not be required to provide your vehicle registration number.

Currently, you will either be contacted by human resources inviting you to take a test to see if you have reported COVID-19 symptoms or you need to self-isolate because members of your house hold have symptoms. The test is voluntary, and you do not have to take it, but we would encourage all key workers to take the test where it has been identified.

As the programme develops, the DHSC and the council may look towards people self-referring for tests, rather than being identified by the council or Medigold/Day One Absence reporting as suitable for testing.

If you decide to take a test, then you need to follow the instructions you will be given. You will register to attend an appointment at a regional test site or register for a home test (where eligibility criteria is met).

Regional test sites are at:

  • York Poppleton Park and Ride
  • Leeds
  • Hull
  • Gateshead

DHSC is the Data Controller for the following purposes:

  • confirming the appointment to the regional test site
  • performing a security and ID verification at the regional test site
  • receiving and processing your test
  • returning your results to you
  • sharing results with Public Health England (if you live in England) to help plan and respond to coronavirus
  • for patients resident in England, instructing NHS Digital to link your test result to your GP record, and to analyse data in relation to coronavirus.
  • undertaking quality assurance of the testing process, for example clinical process assurance
  • analysis to support operational decisions to improve the full end-to-end testing process
  • day to day use, for example whether someone attended their appointment
  • to inform regional test sites of improvements to the testing process, for example to manage capacity or throughput
  • support end to end logistics planning

Using your data for other purposes

Your information may also be used for different purposes that are not directly related to your health and care. These include:

  • research into coronavirus (including potentially being invited to be part of clinical trials)
  • planning of services or actions in response to coronavirus
  • monitoring the progress and development of coronavirus

Information provided by you, and collected about you, in relation to testing for coronavirus will not be used for any purpose that is not linked to coronavirus.

Wherever possible, information that does not directly identify you will be used for these purposes, but there may be times when it is necessary for your personal data to be used.

Any releases of information that identify you will be lawful and the minimum necessary for that purpose.

NHS Digital is required, under law, by DHSC and NHS England, to collect, analyse and share information and data relating to coronavirus, when this information is requested by other health and care organisations or researchers.

This information may be collected from various health and care organisations and may be given to other health and care organisations responding to coronavirus.

Our legal basis for using personal data

DHSC and the council’s legal basis for processing your personal data is:

  • GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • GDPR Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) - Health or social care purposes

Other organisations involved in processing your data will be doing so either with an agreement in place with DHSC to provide that service, or with a legal basis of their own (such as NHS Digital).

Sharing personal data

Other organisations will also carry out parts of the virus testing programme on behalf of DHSC but can only act on instructions provided to them by DHSC. These organisations are known as Data Processors.

Each organisation will require a different level of information about you, but all will use the minimum necessary to do what they are required to by the Data Controller.

See the DHSC privacy notice.

See the full list of Data Controllers and Data Processors.

For English resident patients, your test result will be linked to your GP record. This will be done by NHS Digital, who will be acting jointly as Data Controllers with DHSC. This will enable your GP to be informed of your test result without you needing to do anything.

Sharing personal data for processing of tests

If you've been registered for an appointment at the regional test centre, your details will be captured in a database, and passed to the team running the site, so they can check who you are on arrival.

Once you have ‘checked-in’ and your ID has been validated, you'll take the test, and the unique reference number on the kit will be logged.

The laboratory will receive the sample, analyse it and provide your test result to the National Pathology Exchange (NPEX).

NPEX will inform NHS Business Services Authority who will send your result to you by text and/or email, along with supporting information and next steps you need to take.

The lab does not receive any of your personal data, just the kit’s unique reference number, to which they add the test result, and return to the supplier.

For tests that are not conducted by Randox, the results will go direct to NHS Business Services Authority, who will send the result to you by text and/or email, along with supporting information and next steps.

There are currently 3 home test kit suppliers:

  • Randox
  • Thermofisher
  • Medical Wire

The process may vary slightly depending on which test kit you receive.

Randox operates an end-to-end process. This means once the kit is requested and delivered by Amazon, the completed sample is returned to Randox. Randox then tests it, records the result and sends your result to you by email and/or text.

You must register your personal information on the Randox website in order to receive your result.

The lab will also send your result to NPEX, who collate all results and send to them to relevant organisations to help us respond to coronavirus.

For Thermofisher and Medical Wire test kits, the samples are returned to a government lab. Thermofisher and Medical Wire receive no information about you.

If you have registered for a home test, then your name and address will be passed to Amazon, who will deliver the testing kit. The kit will have a unique reference number, and once you have self-administered the test, you will need to follow the instructions on the kit.

Organisations who use your data and information on behalf of a Data Controller can only do so with clear instructions from them. They cannot use your data and information for any other purpose.

Any use of information that is not covered by the instructions from the Data Controller would be unlawful, unless the Data Controller agrees and provides written permission to do this.

DHSC have appointed Data Processors, as indicated below, to carry out these activities:

  • registration of your test
  • delivery of your testing kit, the Data Processor is Amazon
  • to schedule appointments and capture information at the point of testing
  • certify your identity at the regional test site, this may include various organisations who run the different parts of the regional test site
  • link your personal details (provided on registering for the test) to the test result (the Data Processor is the National Pathology Exchange (NPEX, hosted by Calderdale and Huddersfield NHS Trust)
  • send you your test results via email (if you have taken a Randox home test only, the Data Processor is Randox)
  • forward your test results, email address and phone number to NHS Business Services Authority (NHS BSA) to send you your test results (the Data Processor is NPEX). NHS BSA will provide results to all UK residents
  • receive data to enable your results, and supporting information, to be communicated back to you by text and email (the Data Processor is NHS BSA)

Services on behalf of DHSC may be provided by different organisations in different regions.

Retaining personal data

For English residents, your information will be stored in line with the Records Management Code of Practice for Health and Social Care 2016. This means we will keep your information for up to 8 years before we dispose of it.

Information that identifies you will be stored securely, and processed in, the UK.

Information that does not, and cannot, identify you may be stored and processed outside of the UK. For example, information purely about the number of tests conducted, or the number of outcomes from tests.

Information is stored in a range of different places in the council, including in your personnel file, in the council’s HR management systems and in other IT systems (including the council's email system) 
There is also information held in third party systems including Health Management (Occupational Health referrals and reports) and Medigold Health (Sick absence and unplanned absence data).

The council will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set out in the HR retention policy which is available on the council intranet.

Your rights

You have a number of legal rights under Data Protection law and you can find out more about these on the Information Commissioners Office (ICO) website.

The COVID-19 testing programme does not take away or reduce your rights under data protection legislation, so you can still request (for example), from the organisations named in this notice in section 3, copies of the information they hold about you.

If you're unhappy or wish to complain about how your information is used as part of the COVID-19 testing programme, you should contact DHSC or the council – see below contact details - in the first instance to resolve your issue.

The Data Protection Officer for DHSC is John Ryder, email:
So, for example, if you have a complaint relating to Randox home tests, you would contact Randox initially.

The Data Controllers for the COVID-19 testing programme are as follows:

  • DHSC
  • NHS England
  • NHS Digital, jointly with DHSC for information relating to English resident patients. NHS National Services Scotland, Public Health Wales and NI public health bodies, may also request NHS Digital to process information relating to their resident population for coronavirus
  • Public Health England, when they receive results and use them to plan their response to coronavirus
  • City Of York Council

The Data Processors for the COVID-19 testing programme are as follows:

  • Deloitte, supporting DHSC to help accelerate and scale testing capacity for the national COVID-19 testing programme
  • Serco, who manage some of the regional test sites once established
  • Barcode Warehouse, who provide barcodes for test kits
  • Amazon, to deliver test kits once a request has been registered
  • Randox, to supply home tests and inform you of the result of your Randox home test. They also operate some regional test sites
  • Thermofisher, to supply home tests and operate some regional test sites
  • Medical Wire, to supply home tests and operate some regional test sites
  • ServerLabs, for building the digital solution for the testing programme
  • Teleperformance. providing call centre assistance across the coronavirus digital service
  • ACF Technologies, providing software to enable you to book a test at a regional test site
  • Jigsaw24, who are providing mobile phone and SIMs for the mobile regional test site apps – so you don’t have to self-scan a barcode at the regional test site)
  • NPEX, who collate all coronavirus results from testing laboratories, and pass the results onto other organisations, to enable them to do what they need to
  • NHS Business Services Authority, to inform you of the result of your regional test site test, provide supporting information to you, and to send your test result into a central database to help respond to coronavirus
  • Medigold/Day One Absence reporting

Each organisation that processes your information must provide you with information about how they do this. This should be publicly available on their website or can be requested from them.

For example, if you want to know more about how NHS Digital use your information, then you can visit their website.

Also see

Data Protection Officer

West Offices, Station Rise, York, YO1 6GA

Telephone: 01904 554145