Test and Trace privacy notice

How we collect and hold data about you to support NHS Test and Trace.

This privacy notice is to explain and provide you with information on how we collect and hold data about you to support NHS Test and Trace.

You can view the general Brighton & Hove City Council privacy notice as well as the Coronavirus (COVID-19) privacy notice which has more about how we collect, use and protect personal data generally, as well as your rights as a data subject.

Brighton & Hove City Council is the data controller for purposes of the Data Protection Act (2018) and The General Data Protection Regulation (EU) 2016/679 ("GDPR") and is registered as a data controller with the Information Commissioner’s Office (ICO).

Brighton & Hove City council is committed to protecting your personal information. As a data controller we have a responsibility to make sure you know why and how your personal information is being collected. This is in accordance with relevant data protection law.

Why we use or process your data

By maintaining records of customers and visitors and sharing these with NHS Test and Trace where requested, people who may have been exposed to the virus can be identified.

What information we need and how we use it

The following information may be collected where possible:

  • full name and contact phone number (or lead member of the group)
  • date of visit 
  • arrival time
  • departure time

Who we will share your data with

Your data will only be shared with the NHS for Test and Trace purposes.

What the lawful basis is for processing personal data

Providing your data is voluntary and you can choose to opt out of the NHS Test and Trace process. If you do not provide details for Test and Trace, this will not affect what services or activities you are able to participate in or engage with.

GDPR Article 6(1) (c) GDPR - processing is necessary to fulfill a legal obligation.

GDPR Article 9(2)(i): the processing is necessary for reasons of public interest in the area of public health and DPA 2018 – Schedule 1, Part 1, s.3: Public Health.

How we store your information

Your data will be stored on secure network drives. We will hold records for 21 days. This reflects the incubation period for COVID-19 (which can be up to 14 days) and an additional 7 days to allow time for testing and tracing. After 21 days, this information will be securely disposed of or deleted.

More information

The Information Commissioner's Office has published its own FAQs on data handling during the pandemic. Please see relevant government and NHS pages for more information on the Test and Trace scheme.

How to get advice or make a complaint

Data protection contact information 

If you’d like to discuss your data protection rights, you can contact the Data Protection Team. Only use these contact details if you have questions about data protection and not for questions about other services. 

We also have a Data Protection Officer. Visit our data protection officer page to find their contact details. 

Please contact the Data Protection Team first if you have any concerns. 

You can then contact the Information Commissioner’s Office (ICO). The ICO is the national regulator with responsibility for ensuring compliance with data protection.