Workforce testing privacy notice

What we are doing with your data

As a critical part of our response to the Covid-19 virus, we will be collecting and using personal data about the Council’s own frontline staff, frontline workforce of other organisations within the city and in some cases, other household members of those workers.

This is for the following purposes:

  • To identify workforce members and their householders who should be prioritised for Covid-19 testing.
  • To arrange the tests themselves and to provide the results back to the individuals concerned
  • To ensure that members of the workforce and their cohabitants can make informed choices as to whether they should be self-isolating to prevent the further spread of the infection
  • To populate a national testing database
  • To contribute to national and regional understanding of the spread of the virus
  • To provide data to assist with workforce planning
  • To meet legal obligations to the ongoing health and welfare of the frontline care workforce

The following articles in the General Data Protection Regulation (GDPR) provide a lawful basis for collecting and sharing staff information to facilitate and monitor the results of testing for Covid-19.

Facilitation of Testing for Covid-19

Basic details about the employee will be collected and shared to facilitate testing of frontline staff and this will be under the following lawful basis:

GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the Council is subject.

The legal obligation in question is conferred by The Health and Safety at Work Act 1974 and supported in this instance by the relevant exemption in The Data Protection Act 2018, Schedule 2, Part 2, Paragraph 7 4(a), which permits processing of personal data to ensure the health, safety and welfare of people at work.

Special Category Data

Where it is found necessary to process medical information, such as positive results for tests, the lawful basis for this under the GDPR will be:

GDPR Article 9(2)(h): “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […]”

GDPR Article 9(2)(i): “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health […]”

Who is the Data Controller?

As this is a nationally coordinated testing programme, there are several data controllers involved at different stages of the process.

The Department for Health and Social Care has commissioned the testing programme and is data controller for the process of arranging your test and returning the results to you.

NHS England is Data Controller of the database which will hold the record of all test results as well as for providing the results of your tests to your GP

Public Health England is data controller when aggregated testing results are used to plan the coronavirus response.

Brighton and Hove City Council is data controller when it receives your test result and uses these for workforce planning, ensuring the health and wellbeing of staff at work and preventing the spread of the virus within the local frontline workforce.

What Data will be collected:

To arrange your test and ensure that the identities of those tested are clearly established, the following personal data may be required:

  • first and last name
  • date of birth
  • sex
  • mobile phone number
  • email address
  • address (including postcode)
  • vehicle registration number (if you are taking a test at a regional test site)
  • NHS Number (for English residents and if you know it – Wales/Scotland/NI residents may need to provide a different local identifier, which will be specified upon registering for a test)
  • other household members’ first and last names (in cases where they may also be invited to be tested.

How this data will be used

Deloitte UK has been contracted to run local test sites and will receive your details for the purposes of arranging and verifying the identity of people attending test sites.

Your identifying information as well as the results of your tests will be uploaded to a national testing database managed on behalf of NHS England by NHSX.

NHS Digital may, if instructed, collate data reports to provide to local public health authorities to help coordinate the local response to the pandemic

Brighton and Hove City Council will use testing results to coordinate frontline resource planning as well as to protect the health and wellbeing of staff, their cohabitants and service

users, by identifying where staff should be self-isolating for their own wellbeing as well as that of the public they serve

Results of tests will be returned directly to the person being tested within 72 hours. Along with your test result, you will receive information concerning what steps you should take next.

How Long this information will be retained

The information will be held by the Council and/or private sector employers for as long as necessary to ensure that the health status of the individual staff member can be monitored, and appropriate action taken to protect that staff member and take measures to contain the spread of the pandemic.

In addition, anonymised statistical data sets may be created by partner agencies, to facilitate understanding of the progress of national testing initiatives and the spread of infection. Where this occurs, you will not be identifiable from this data.

Your Rights

You have a general right to a copy of the data held and shared about you for this process. However, in accordance with the exemption outlined in the Data Protection Act 2018, Schedule 2, Part 2, Paragraph 7(4), this right will only be respected to the extent that it does not interfere with he performance of the staff health and safety and public health objective.

As the Council and its partner agencies are processing for meeting statutory obligations, the following GDPR rights will not apply:

  • Right to Erasure
  • Right to Object to Processing where it is done for the outlined purposes
  • Right to Restrict Processing where it is done for the outlined purposes
  • Right to Portability of Data

Further Information

If you have any questions or concerns about the processing of your personal data for this purpose, you can contact the Data Protection Officer for the relevant data controller. As the lead authority is the Department of Health and Social Care, most queries are best directed there.

The Data Protection Officer for the Department of Health and Social Care is John Ryder and he may be contacted on:

However, if your concern is with the use of your data by Brighton and Hove City Council, then you can contact the Council’s Data Protection Team at

The Council’s Data Protection Officer (DPO) can also be contacted. If you wish to speak to the DPO, please contact the Data Protection Team and they will refer yo