Background
The Scottish Government (NHS Test and Protect), in partnership with the UK Department of Health and Social Care, Local Authorities and the NHS Scotland, is responsible for the overall delivery of COVID-19 Lateral Flow Testing (LFT) of staff in primary, secondary and special schools and Early Learning and Childcare (ELC) and S1-S6 pupils in Scotland. The testing of asymptomatic people can support education settings to identify positive cases, break chains of transmission and reduce risks in settings.
Scope of this privacy notice
This privacy notice covers the processing of personal data of staff in primary, secondary and special schools and Early Learning and Childcare (ELC) settings, and S1-S6 pupils, by the Department of Health and Social Care, NHS National Services Scotland (NHS NSS) and Public Health Scotland (PHS) and schools and ELCs under the remit of Scottish Local Authorities.
This privacy notice provides you with information about how your personal data will be collected and used in connection with COVID-19 Lateral Flow Testing. It covers the collection and use of your personal data, from providing the LFT data to the test results being recorded and processed.
As part of this testing, different organisations may require a different level of information about your LFT data, including the Department of Health and Social Care (DHSC) and schools/ELC providers. Please refer to the relevant privacy notices if you want to know more about the uses of your personal data by other organisations. Every organisation involved in this data processing is independently responsible for complying with the applicable data protection legislation.
For further privacy information refer to:
- Use of your data for COVID-19 Testing | Information Governance (scot.nhs.uk)
- Coronavirus (COVID-19): Testing in Scotland | NHS inform
- How the NHS handles your personal health information | NHS inform
- Your school and Local Authority (Council) privacy notices and websites
DHSC Privacy Notice
Who am I giving my personal data to?
If you (or your parent/legal guardian for children below the age of 16 or individuals without the required capacity) decide to participate in this LFT process, you will need to submit the results of your self-administered Covid-19 lateral flow tests through the DHSC LFT self-test digital journey portal. DHSC is the data controller in relation to this data processing and you can find more information on the Government website.
For individuals based in Scotland, in line with mandatory notifiable disease reporting regulations and the public tasks of NHS National Services Scotland (NSS) and Public Health Scotland, LFT data submitted through the digital journey portal will flow through National Pathology Exchange (NPEx) (DHSC’ processor) into NSS, who safely and securely store the provided data. Public Health Scotland (PHS) also has access to this data to perform their public functions.
Scottish Government, Local Authorities (schools and ELCs), NHS NSS and PHS are data controllers for the below purposes.
What is the purpose of processing my personal data?
Participating in the LFT programme is voluntary. The data collected is necessary to enable the administration of the Covid-19 test directly to you without relying on a test centre. It also enables the involved parties to perform their public duties in managing the Covid-19 public health outbreak as indicated in the table below.
As indicated in the table below, each of the organisations involved, play a different role in this process; in partnership, they will process your personal data for the below purposes:
- to perform their public duties and functions (for more details refer to Table 2 Legal basis),
- to administer the processing of your LFT results,
- to enable contact tracing,
- to share the test outcome with other parties involved in this process, such as local Health Boards so they can provide you with appropriate advice and support.
Table 1 roles and responsibilities of the data controllers
Organisation (Data controller) |
Role within the Test & Protect Programme | Access to personal data |
---|---|---|
Scottish Government (Scottish Ministers) |
The Scottish Government provides strategic direction and leadership for the Test and Protect Programme, as per the duty of Scottish Ministers to protect public health. | No. The Scottish Government do not have access to personal identifiable data. |
Department of Health and Social Care (England) |
Is responsible for the overall delivery of COVID-19 Lateral Flow Testing (LFT) as part of the UK Testing programme. |
Yes. |
Local Authorities |
In partnership with the Scottish Government and DHSC, are responsible for the overall delivery of COVID-19 Lateral Flow Testing (LFT) of staff in primary, secondary and special schools and Early Learning and Childcare (ELC) and S1-S6 pupils in Scotland. |
Yes. |
Public Health Scotland (PHS) |
Responsible for performing their statutory public functions and tasks, i.e., research, statistics and management of outbreaks. Decides on analytical methods and reporting in its role as an independent official statistics producer. | Yes, on a need-to know basis only. |
The Common Services Agency (NHS National Services Scotland - NHS NSS) |
Responsible for:
|
Yes, on a need-to know basis only |
What categories of personal data will be collected and processed?
The following personal data will be collected directly from you (or your parent/legal guardian for children below the age of 16 or individuals without the required capacity):
- Identity Information:
- Last name
- First name
- Date of birth
- Gender
- Ethnic group
- Contact Information:
- Area of residence
- First line of address
- Postcode
- Contact mobile number
- Contact email address
- Health information:
- Covid-19 Test Result (select from positive, negative or void)
- Information about the Covid-19 test you have taken
- Test kit ID number
- Date test taken
- Other:
- Name or postcode of the school or college
- Reason for taking the test (Testing for an education provider - like a school or college)
The following personal data will be collected from other sources:
- Community Health Index (CHI) number – where this is not provided by you, NHS NSS may have to carry out CHI matching for your data set for the positive tests based on the information kept by NHS NSS. This is necessary to ensure that your records are accurate and kept updated.
In the event of a positive LFT test you should book a PCR test to confirm the results. The involved parties in the PCR process will provide you with information about the processing of your personal data in this case.
Aberdeen City Council is the Data Controller for consent forms and for logs of tests issued.
What happens if I choose not to provide the personal data requested?
This privacy notice covers the LFT Covid-19 weekly testing of staff and senior phase pupils for rapid identification of asymptomatic positive cases to reduce onward transmission within schools and ELC providers. This testing programme, alongside other protective measures such as physical distancing and handwashing, helps reduce the risks of coronavirus in education settings.
Staff and student participation in LFT testing is voluntary. It is the responsibility of the participating schools to ensure that that they obtain the appropriate and valid consent (e.g. from the participants or their parents/legal guardians). People who decline to participate in twice-weekly contact testing may still attend school/ELC providers, provided they continue to follow national guidance on symptomatic testing and self-isolation.
In order to submit the LFT data to the LFD portal, you will need to provide personal data.
What is the lawful basis for collecting, storing and using my data?
The legal basis for each of the organisation involved to processing your personal data or making
decision about it are:
Table 2 Legal basis
Scottish Government |
Necessary for performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 6(1)(e)). Necessary for reasons of substantial public interest for statutory and government purposes on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(g)). Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(i)). Necessary for scientific research or statistical purposes in the public interest (UK GDPR Art 9(2)(j)). |
NHS NSS and PHS |
UK General Data Protection Regulation (GDPR) Article 6(1)(e) (lawful basis to permit the processing of personal data) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the data controllers. UK GDPR Article 9(2)(h) (lawful basis to permit the processing of special category data) processing is necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services. UK GDPR Article 9(2)(i) (lawful basis to permit the processing of special category data) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. UK GDPR Article 9(2)(j) (lawful basis to permit the processing of special category data) processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes. |
Local Authorities (including schools and ELCs) |
UK General Data Protection Regulation (GDPR) Article 6(1)(e) (lawful basis to permit the processing of personal data) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the data controllers. UK GDPR Article 9(2)(j) (lawful basis to permit the processing of special category data) processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes. |
DHSC |
DHSC’s legal basis for processing your personal data is:
|
Other organisations involved in processing your data (such as NHS Digital) will be doing so either with an agreement in place with the data controllers (e.g. DHSC) to provide that service, or with a legal basis of their own).
The processing of personal data covered in this policy also adheres to Schedule 1 of the UK Data Protection Act 2018. In particular, the applied conditions under Schedule 1 are:
- Condition 2 - Health or social care purposes
- Condition 3 - Public health
- Condition 4 - Research etc
- Condition 6 - Statutory etc and government purposes
How will my personal data be shared?
Your personal data will only be shared with specific parties as part of this processing and on a needto-know basis. Where special categories of personal data are shared, this is subject to suitable and specific measures to safeguard your rights and freedoms. NHS NSS and PHS may share your personal data with:
- Your local Health Boards to carry out their public health duties
- The GP of the person who tested positive
- NHS Test and Protect service who undertake contact tracing to initiate contact tracing for positive cases
- Other parties of the health and care system for monitoring and planning actions in response to COVID-19
Where positive tests become part of the medical records of the tested person, parties authorised to access your medical records will also have access to this information.
Information about Covid-19 LFT tests may be provided to the Scottish Government in an aggregated and anonymised format for the evaluation of the effectiveness of this testing, including operational performance, clinical and public health effectiveness.
Your school/ELC provider may need to access information about your LFT for certain purposes (e.g. stock management and incident reporting about the quality or safety of testing). Information submitted to the self-test digital journey portal is not shared with school/ELC provider and you may have to provide this information directly to these organisations. Your school and/or ELC provider should provide necessary contact details for reporting the information to all participants.
How long will my personal data be kept?
- The test information processed by NHS Scotland is kept for as long as is required to provide you with direct care and to support NHS Scotland initiatives to fight COVID-19. Information held for direct care purposes is stored in line with the Scottish Government Health and Social Care Records Management Code of Practice 2020. This means such information will be held for up to 7 years before it is deleted.
- When positive test results are added to your personal medical records, this will be retained on these records for your lifetime.
- The information processed by your school (consent forms and logs of test kits issued) will be kept 7 years, unless we receive further national guidance. In relation to retention
- The information processed by DHSC will be kept in line with their privacy notice, for up to 8 years, in accordance with the Records Management Code of Practice for Health and Social Care 2016.
Where is my personal data stored?
Your data will be stored securely within the United Kingdom and safely accessed by authorised
parties. We will not share your personal data outside the United Kingdom.
Is my personal data kept private and secure?
We have legal duties to keep information about you confidential. Strict rules apply to keep your
information safe and comply with the Data Protection Act 2018, UK GDPR and organisational Data Protection policies. Appropriate technical and organisational measures are used to keep your data safe, including adherence to the NHS Scotland Information Security Policy framework, PHS/NSS Corporate Information Security Policies, PHS/NSS Information Security Acceptable Use Policy, NHSS Information Security and Cyber Security incident reporting and management processes and information governance training.
What Are My Rights?
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restriction of processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision-making.
- The right to lodge a complaint with a supervisory body.
For more information about how to exercise your rights within the NHS Scotland visit:
How the NHS handles your personal health information | NHS inform
For more information about your rights and how to invoke them in relation to your test results, visit NHS NSS: Data protection.
Data Controllers contact details
If you have questions, complaints or you would like to make a data subject access request (DSAR) regarding how your personal data is collected and processed by the data controllers, the contact information you need is noted below.
Contact details of the data controllers:
Organisation | Contact details of the Data Protection Officer (DPO) |
---|---|
NHS National Services Scotland |
Email Address: nss.dataprotection@nhs.scot Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB Telephone: 0131 275 6000 |
Public Health Scotland |
Email Address: phs.dataprotection@phs.scot Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB. Telephone: 0131 314 5436 |
Scottish Government |
The Scottish Government Data Protection Officer Email Address: DataProtectionOfficer@gov.scot Postal Address: Victoria Quay, Commercial Street, Edinburgh, EH6 6QQ. |
Scottish Local Authorities. Links to Scottish Local Authority websites can be found on the COSLA website. |
Data Protection Officers’ contact details are available on the Protect Scot website. |
DHSC |
Updated details of the DHSC’s Data Protection Officer are available on the UK Government website. Email Address: data_protection@dhsc.gov.uk |
In relation to personal data processed by other parties
For any data processing that is not covered in this privacy notice, other involved organisations are responsible. Please refer to their privacy notices.
To raise a complaint with the Information Commissioner’s Office (ICO) as the supervisory body in the UK, contact:
Information Commissioner’s Office
Postal Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ICO.org.uk