Workforce testing privacy notice
Read our privacy notice for information on how we collect, store and process your data.
What we are doing with your data
As a critical part of our response to the Covid-19 virus, we will be collecting and using personal data about the Council’s own frontline care workforce, the care workforce of private organisations within the city providing frontline care and, in some cases, other household members of those workers. This is for the following purposes:
- to identify workforce members and their householders who should be prioritised for Covid-19 testing.
- to arrange the tests themselves and to provide the results back to the individuals concerned
- to ensure that members of the workforce and their cohabitants can make informed choices as to whether they should be self-isolating to prevent the further spread of the infection
- to populate a national testing database
- to contribute to national and regional understanding of the spread of the virus
- to provide data to assist with workforce planning
- to meet legal obligations to the ongoing health and welfare of the frontline care workforce
The following articles in the General Data Protection Regulation (GDPR) provide a lawful basis for collecting and sharing staff information to facilitate and monitor the results of testing for Covid-19.
Facilitation of testing for Covid-19
Basic details about the employee will be collected and shared to facilitate testing of frontline staff and this will be under the following lawful basis:
GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the Council is subject.
The legal obligation in question is conferred by The Health and Safety at Work Act 1974 and supported in this instance by the relevant exemption in The Data Protection Act 2018, Schedule 2, Part 2, Paragraph 7 4(a), which permits processing of personal data to ensure the health, safety and welfare of people at work.
Special category data
Where it is found necessary to process medical information, such as positive results for tests, the lawful basis for this under the GDPR will be:
GDPR Article 9(2)(h): “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […]”
GDPR Article 9(2)(i): “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health […]”
How this data will be used
The initial data collected will include contact information to arrange tests as well as the registrations of vehicles to identify people arriving at test sites.
The information will be uploaded to a national testing database managed on behalf of the central government by Deloitte UK.
Results of tests will be returned directly to the person being tested within 72 hours. It will be the responsibility of the employee to notify their employer of the results of the tests upon receipt.
How long this information will be retained
The information will be held by the council and/or private sector employers for as long as necessary to ensure that the health status of the individual staff member can be monitored, and appropriate action taken to protect that staff member and take measures to contain the spread of the pandemic.
In addition, anonymised statistical data sets may be created by partner agencies, to facilitate understanding of the progress of national testing initiatives and the spread of infection. Where this occurs, you will not be identifiable from this data.
Your rights
You have a right to a copy of any information collected and shared about you for the purposes of this process.
However, as the council and its partner agencies are processing for meeting statutory obligations, the following GDPR rights will not apply:
- Right to erasure
- Right to object to processing
- Right to restrict processing
- Right to portability of data
How to get advice or make a complaint
Data Protection Officer
If you have a concern about how we collect or use your personal data you can contact the Council’s Data Protection Officer.
How to make a complaint
We aim to resolve all complaints about how we handle personal information. You also have the right to make a complaint about data protection to the Information Commissioner's Office.
Contact them by post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or phone 0303 1231 113.
You can also make a complaint or find out more information on the Commissioner's Office website.
If your complaint is not about data protection, find details on how to make a complaint about a council service.