What we are doing with your data

As a critical part of our response to the Covid-19 virus, we will be collecting and using personal data about the Council’s own frontline care workforce, the care workforce of private organisations within the city providing frontline care and, in some cases, other household members of those workers. This is for the following purposes:

  • to identify workforce members and their householders who should be prioritised for Covid-19 testing.
  • to arrange the tests themselves and to provide the results back to the individuals concerned
  • to ensure that members of the workforce and their cohabitants can make informed choices as to whether they should be self-isolating to prevent the further spread of the infection
  • to populate a national testing database
  • to contribute to national and regional understanding of the spread of the virus
  • to provide data to assist with workforce planning
  • to meet legal obligations to the ongoing health and welfare of the frontline care workforce

The following articles in the General Data Protection Regulation (GDPR) provide a lawful basis for collecting and sharing staff information to facilitate and monitor the results of testing for Covid-19.

Facilitation of testing for Covid-19

Basic details about the employee will be collected and shared to facilitate testing of frontline staff and this will be under the following lawful basis:

GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the Council is subject.

The legal obligation in question is conferred by The Health and Safety at Work Act 1974 and supported in this instance by the relevant exemption in The Data Protection Act 2018, Schedule 2, Part 2, Paragraph 7 4(a), which permits processing of personal data to ensure the health, safety and welfare of people at work.

Special category data

Where it is found necessary to process medical information, such as positive results for tests, the lawful basis for this under the GDPR will be:

GDPR Article 9(2)(h): “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […]”

GDPR Article 9(2)(i): “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health […]”

How this data will be used

The initial data collected will include contact information to arrange tests as well as the registrations of vehicles to identify people arriving at test sites.

The information will be uploaded to a national testing database managed on behalf of the central government by Deloitte UK.

Results of tests will be returned directly to the person being tested within 72 hours. It will be the responsibility of the employee to notify their employer of the results of the tests upon receipt.

How long this information will be retained

The information will be held by the council and/or private sector employers for as long as necessary to ensure that the health status of the individual staff member can be monitored, and appropriate action taken to protect that staff member and take measures to contain the spread of the pandemic.

In addition, anonymised statistical data sets may be created by partner agencies, to facilitate understanding of the progress of national testing initiatives and the spread of infection. Where this occurs, you will not be identifiable from this data.

Your rights

You have a right to a copy of any information collected and shared about you for the purposes of this process.

However, as the council and its partner agencies are processing for meeting statutory obligations, the following GDPR rights will not apply:

  • Right to erasure
  • Right to object to processing
  • Right to restrict processing
  • Right to portability of data

Further information

If you have any questions or concerns about the processing of your personal data for this purpose, you can contact the council’s Data Protection Team at data.protection@brighton-hove.gov.uk.

The council’s Data Protection Officer (DPO) can also be contacted. If you wish to speak to the DPO, please contact the Data Protection Team and they will refer you.