Privacy Notice for Polymerase Chain Reaction (PCR) and Lateral Flow Device (LFD) Asymptomatic Testing for Health and Social Care Staff - Summary
The Scottish Government/NHS Test and Protect, in partnership with the UK Department of Health and Social Care, is responsible for the overall delivery of COVID-19 Lateral Flow Testing (LFT) and PCR testing for Health and Social Care staff in Scotland. The testing of asymptomatic Health and Social Care staff can support the continued delivery of essential services, reduction in cases and help to reduce and manage risk to staff and service users
Fife Council is responsible for the local management of the COVID-19 Lateral Flow Testing and PCR testing for social work and social care staff, via testing logs/stock information.
Testing and the submission of test results is voluntary.
Test results for asymptomatic testing will be submitted through the UK Department of Health and Social Care self-test portal and will be passed to NHS National Services Scotland to initiate contact tracing for positive results, and to Public Health Scotland for the management of outbreaks, statistics and research.
By taking up the test, you are agreeing to the collection and use of your personal information in accordance with legislative requirements, including the Data Protection Act 2018 and GDPR (General Data Protection Regulation).
For staff testing, information will be used about you in line with the Human Resources Privacy Notice which is available here: www.fife.gov.uk/privacy/hr
For further information on how your information is being used by Fife Council and other organisations, please see the detailed privacy notice below.
Privacy Notice for Polymerase Chain Reaction (PCR) and Lateral Flow Device asymptomatic testing for Health and Social Care Staff.
Background
The Scottish Government/NHS Test and Protect, in partnership with the UK Department of Health and Social Care, is responsible for the overall delivery of COVID-19 Lateral Flow Testing (LFT) and PCR testing in Scotland. The testing programme for Health and Social Care staff can support the reduction in cases and help to reduce and manage risk to staff and service users
Fife Council is responsible for the local management of the COVID-19 Lateral Flow Testing and PCR testing for social work and social care staff via testing logs/stock information.
Scope of this privacy notice
This privacy notice covers the uses of personal data of staff in Health and Social Care settings by NHS National Services Scotland (NHS NSS) and Public Health Scotland (PHS).
This privacy notice provides you with information about how your personal data will be collected and used in connection with COVID-19 Lateral Flow Testing and PCR testing. It covers the collection and use of your personal data, from providing the LFT/PCR data to the test results being recorded and processed.
As part of this testing, different organisations may require a different level of information about your LFT/PCR data, including the Department of Health and Social Care (DHSC) and Fife Council.
Please refer to the relevant privacy notices if you want to know more about the uses of your personal data by other organisations. Every organisation involved in this data processing is independently responsible for complying with the applicable data protection legislation.
Who am I giving my personal data to?
If you decide to participate in these processes, you will need to submit the results of your self-administered Covid-19 lateral flow and PCR tests at the appropriate portal.
For NHS NSS-issued kits the portal can be found here
Welcome - COVID Testing Portal (service-now.com)
For Department of Health and Social Care (DHSC) issued kits the portal is here
Report a COVID-19 rapid lateral flow test result - GOV.UK (www.gov.uk)
For DHSC test kits the Department of Health and Social Care is the data controller in relation to this data processing and you can find more information here.
For individuals based in Scotland, in line with mandatory notifiable disease reporting regulations and the public tasks of NHS National Services Scotland (NSS) and Public Health Scotland, LFT/PCR data submitted through the digital journey portal will flow through the National Pathology Exchange (NPEx) (DHSC’ processor) into NSS, who safely and securely store the provided data. Public Health Scotland (PHS) also has access to this data to perform their public functions.
NHS NSS and PHS are data controllers for the below purposes.
What is the purpose of processing my personal data?
Providing the LFT/PCR data is voluntary and aims to enable you to administer the COVID-19 tests directly without relying on a test centre. It also enables the involved parties to perform their public duties in managing the Covid-19 public health outbreak. In particular,
NHS NSS is the data controller responsible for
- hosting and administering the secure database on NHS secure servers which receive the LFT/PCR data
- linking data to the Test and Protect Case Management System (CMS) for initiating contact tracing on positive results
- linking data to the NSS Data Hub for national reporting of aggregated and anonymised results
- providing feedback on incident reporting and outbreaks
- linking LFT/PCR data to medical records
PHS is the data controller responsible for performing their statutory public functions and tasks, i.e., research, statistics and management of outbreaks.
What categories of personal data will be collected and processed?
The following personal data will be collected directly from you:
Identity Information:
- CHI Number (if known)
- Last name
- First name
- Date of birth
- Gender
- Ethnic group
Contact Information:
- Area of residence
- First line of the address
- Postcode
- Contact mobile number
- Contact email address
Health information:
- Covid-19 Test Result (select from positive, negative or void)
Information about the COVID-19 test you have taken
- Test kit ID number
- Date test taken
Other:
- Reason for taking the test (Testing for a Health and Social Care setting)
Fife Council is the controller for
- Distributing test kits
- Maintaining stock records including to whom test kits have been issued via a testing log.
The following personal data may be collected from other sources:
- Community Health Index (CHI) number – where this is not provided by you, NHS NSS may have to carry out CHI matching for your data set for the positive tests based on the information kept by NHS NSS. This is necessary to ensure that your records are accurate and kept updated.
In the event of a positive LFT test, you should book a PCR test to confirm the results. The involved parties in the PCR process will provide you with information about the processing of your personal data in this case.
What happens if I choose not to provide the personal data requested?
This privacy notice covers the LFT/PCR COVID-19 regular testing of staff to aid rapid identification of asymptomatic positive cases to reduce onward transmission within Health and Social Care settings. This testing programme, alongside other protective measures such as physical distancing and handwashing, helps reduce the risks of coronavirus to staff and service users.
Staff participation in LFT/PCR testing is voluntary.
In order to submit the LFT/PCR data to the relevant portal, you will need to provide personal data.
What is the lawful basis for collecting, storing and using my data?
NHS NSS and PHS rely on the below lawful bases to process the personal data:
UK General Data Protection Regulation (GDPR) Article 6(1)(e) (lawful basis to permit the processing of personal data) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the data controllers.
UK GDPR Article 9(2)(h) (lawful basis to permit the processing of special category data) processing is necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services.
UK GDPR Article 9(2)(i) (lawful basis to permit the processing of special category data) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
UK GDPR Article 9(2)(j) (lawful basis to permit the processing of special category data) processing is necessary for archiving purposes in the public interest or scientific and historical research purposes.
The processing of personal data covered in this policy also adheres to Schedule 1 of the UK Data Protection Act 2018. In particular, the applied conditions under Schedule 1 are:
Condition 2 – Health or social care purposes
Condition 3 - Public health
Condition 4 – Research etc
Condition 6 - Statutory etc. and government purposes
The Council relies on
UK GDPR Article 6(1)(e) (lawful basis to permit the processing of personal data) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the data controllers.
In this instance, the task in the public interest is assisting NHS NSS and PHS in fulfilling their statutory functions.
How will my personal data be used?
NHS NSS and PHS process your personal data for the below purposes:
- To perform their public duties and functions in supporting the public healthcare system as outlined under the National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 for NHS NSS (e.g. management services to support the Scottish
Government and Health Boards) and the Public Health Scotland Order 2019 for PHS (e.g. research).
- To administer the processing of your LFT/PCR results.
- To enable contact tracing.
- To share the test outcome with other parties involved in this process, such as local Health Boards so they can provide you with appropriate advice and support.
The Council’s purpose is the facilitation of the work of NHS NSS and PHS as above.
Where your personal data is shared with third parties acting as data controllers, they are responsible for ensuring compliance with data protection law.
How will my personal data be shared?
Your personal data will only be shared with specific parties as part of this processing and on a need-to-know basis. Where special categories of personal data are shared, this is subject to suitable and specific measures to safeguard your rights and freedoms. NHS NSS and PHS may share your personal data with:
- Your local Health Boards to carry out their public health duties
- The GP of the person who tested positive
- NHS Test and Protect service who undertake contact tracing to initiate contact tracing for positive cases
- Other parties of the health and care system for monitoring and planning actions in response to COVID-19
Where positive tests become part of the medical records of the tested person, parties authorised to access your medical records will also have access to this information.
Information about COVID-19 LFT tests may be provided to the Scottish Government in an aggregated and anonymised format for the evaluation of the effectiveness of this testing, including operational performance, and clinical and public health effectiveness.
Your employer may need to access information about your LFT/PCR for certain purposes (e.g. stock management and incident reporting about the quality or safety of testing). Information submitted to the self-test digital journey portals is not shared with Fife Council and you may have to provide this information directly to these organisations. Your employer should provide the necessary contact details for reporting the information to all participants.
How long will my personal data be kept?
- The test information processed by NHS Scotland is kept for as long as is required to provide you with direct care and to support NHS Scotland's initiatives to fight COVID-19. Information held for direct care purposes is stored in line with the Scottish Government Health and Social Care Records Management Code of Practice 2020. This means such information will be held for up to 7 years before it is deleted.
- When positive test results are added to your personal medical records, this will be retained on these records for your lifetime.
- The Council will retain testing log/stock information for 12 months.
Where is my personal data stored?
Your data will be stored securely within the United Kingdom and safely accessed by authorised parties. We will not share your personal data outside the United Kingdom.
Is my personal data kept private and secure?
We have legal duties to keep information about you confidential. Strict rules apply to keep your information safe and comply with the Data Protection Act 2018, UK GDPR and organisational Data Protection policies. Appropriate technical and organisational measures are used to keep your data safe, including adherence to the NHS Scotland Information Security Policy framework, PHS/NSS Corporate Information Security Policies, PHS/NSS Information Security Acceptable Use Policy, NHSS Information Security and Cyber Security incident reporting and management processes and information governance training.
The Council has similar technical and organisation measures in place.
What Are My Rights?
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restriction of processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision-making.
- The right to lodge a complaint with a supervisory body.
Exercising Your Rights
(1) In relation to personal data processed by NHS NSS
If you have questions, or complaints or you would like to make a data subject access request (DSAR) regarding how your personal data is collected and processed by NHS NSS, the contact information you need is noted below.
Website: https://nhsnss.org/contact-us Email Address: nss.dataprotection@nhs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB Telephone: 0131 275 6000
For more information about your rights and how to invoke them in relation to your test results, visit the website at: https://nhsnss.org/how-nss-works/data-protection
(2) In relation to personal data processed by PHS
If you have questions, or complaints or you would like to make a data subject access request (DSAR) regarding how your personal data is collected and processed by NHS NSS, the contact information you need is noted below.
Website: //www.publichealthscotland.scot/contact-us/ Email Address: phs.dataprotection@phs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB Telephone: 0131 314 5436
(3) In relation to personal data processed by other parties
For any data processing that is not covered in this privacy notice, other involved organisations are responsible. Please refer to their privacy notices.
Contact details of the data controllers:
NHS National Services Scotland Website: https://nhsnss.org/contact-us Email Address: nss.dataprotection@nhs.scot Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB Telephone: 0131 275 6000 Contact details of the NHS NSS Data Protection Officer (DPO) Email Address: nss.dataprotection@nhs.scot Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB Telephone: 0131 275 6000 |
|
Public Health Scotland Website: https://www.publichealthscotland.scot/contact-us/ Email Address: phs.dataprotection@phs.scot Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB Telephone: 0131 275 6000 Contact details of the PHS Data Protection Officer (DPO) Email Address: phs.dataprotection@phs.scot Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB Telephone: 0131 275 6000 | 5436 |
Fife Council Website: https://www.fife.gov.uk Email Address: dataprotection@fife.gov.uk Postal Address: Fife House, North Street, Glenrothes, Fife, KY7 5LT. Telephone: 03451 55 55 55 Contact details of the Council’s Data Protection Officer (DPO) Email Address: dataprotection@fife.gov.uk Postal Address: Fife House, North Street, Glenrothes, Fife, KY7 5LT. Telephone: 03451 55 55 55 | 55 55 |
To raise a complaint with the Information Commissioner’s Office (ICO) as the supervisory body in the UK, contact:
Information Commissioner’s Office
Postal Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Telephone: 0303 123 1113 Website: www.ICO.org.uk