Lateral Flow Testing Privacy Notice - Privacy Statement

A new data protection law was introduced on 25th May 2018. As a result, we've updated our Privacy Notice to make it easier for you to find out how we use, process and protect your information.

Background

The Scottish Government/NHS Test and Protect, in partnership with the UK Department of Health and Social Care, is responsible for the overall delivery of COVID-19 Lateral Flow Testing (LFT) of staff in primary, secondary and special schools and Early Learning and Childcare (ELC) and secondary pupils in Scotland. The testing of asymptomatic people can support education settings to identify positive cases, break chains of transmission and reduce risks in settings.

If you consent to take part in Lateral Flow testing, your forename and surname will be entered into the Testing Kit spreadsheet by your school. This logs details of the testing kits that have been provided to you. We will also keep your signed consent form. We will keep your information on secure Council networks for 7 years following the date of the last entry into the spreadsheet, after this period it will be destroyed under secure arrangements if it is no longer required for the lawful purpose(s) for which it was obtained. 

Scope of this privacy notice

This privacy notice covers the uses of personal data of staff in primary, secondary and special schools and Early Learning and Childcare (ELC) settings, and secondary pupils, by NHS National Services Scotland (NHS NSS) and Public Health Scotland (PHS).

This privacy notice provides you with information about how your personal data will be collected and used in connection with COVID-19 Lateral Flow Testing. It covers the collection and use of your personal data, from providing the LFT data to the test results being recorded and processed.

As part of this testing, different organisations may require a different level of information about your LFT data, including the Department of Health and Social Care (DHSC) and schools/ELC providers.

Please refer to the relevant privacy notices if you want to know more about the uses of your personal data by other organisations. Every organisation involved in this data processing is independently responsible for complying with the applicable data protection legislation.

Who am I giving my personal data to?

If you (or your parent/legal guardian for children below the age of 16 or individuals without the required capacity) consent to participate in this LFT process, you will need to submit the results of your self-administered Covid-19 lateral flow tests through the DHSC LFT self-test digital journey portal. DHSC is the data controller in relation to this data processing and you can find more information here - Covid 19 testing privacy information.

For individuals based in Scotland, in line with mandatory notifiable disease reporting regulations and the public tasks of NHS National Services Scotland (NSS) and Public Health Scotland, LFT data submitted through the digital journey portal will flow through National Pathology Exchange (NPEx) (DHSC’s processor) into NSS, who safely and securely store the provided data. Public Health Scotland (PHS) also has access to this data to perform their public functions.

NHS NSS and PHS are data controllers for the below purposes.

What is the purpose of processing my personal data?

Providing the LFT data enables you to administer the Covid-19 tests directly without relying on a test centre. It also enables the involved parties to perform their public duties in managing the Covid-19 public health outbreak. In particular, NHS NSS is the data controller responsible for

  • hosting and administering the secure database on NHS secure servers which receives the LFT data
  • linking data to the Test and Protect Case Management System (CMS) for initiating contact tracing on positive results
  • linking data to the NSS Data Hub for national reporting of aggregated and anonymised results
  • providing feedback on incident reporting and outbreaks
  • linking LFT data to medical records

 

PHS is the data controller responsible for performing their statutory public functions and tasks, i.e., research, statistics and management of outbreaks.

What categories of personal data will be collected and processed?

The following personal data will be collected directly from you (or your parent/legal guardian for children below the age of 16 or individuals without the required capacity):

Identity Information:

  • Last name
  • First name
  • Date of birth
  • Gender
  • Ethnic group

Contact Information:

  • Area of residence
  • First line of address
  • Postcode
  • Contact mobile number
  • Contact email address

Health information:

  • Covid-19 Test Result (select from positive, negative or void)

Information about the Covid-19 test you have taken:

  • Test kit ID number
  • Date test taken

 Other:

  • Name or postcode of the school or college
  • Reason for taking the test (Testing for an education provider - like a school or college)
  • Community Health Index (CHI) number if you know it

The following personal data will be collected from other sources:

  • Community Health Index (CHI) number – where this is not provided by you, NHS NSS may have to carry out CHI matching for your data set for the positive tests based on the information kept by NHS NSS. This is necessary to ensure that your records are accurate and kept updated.

In the event of a positive LFT test you should book a PCR test to confirm the results. The involved parties in the PCR process will provide you with information about the processing of your personal data in this case.

What happens if I choose not to provide the personal data requested?

This privacy notice covers the LFT Covid-19 weekly testing of staff and secondary pupils for rapid identification of asymptomatic positive cases to reduce onward transmission within schools and ELC providers. This testing programme, alongside other protective measures such as physical distancing and handwashing, helps reduce the risks of coronavirus in education settings.

Staff and student participation in LFT testing is voluntary. It is the responsibility of the participating schools to ensure that that they obtain the appropriate and valid consent (e.g. from the participants or their parents/legal guardians). People who decline to participate in twice-weekly contact testing may still attend school/ELC providers, provided they continue to follow national guidance on symptomatic testing and self-isolation.

When you submit the LFT data to the LFD portal, you will need to provide personal data as detailed above.

What is the lawful basis for collecting, storing and using my data?

NHS NSS and PHS rely on the below lawful bases to process the personal data:

UK General Data Protection Regulation (GDPR) Article 6(1)(a) - Consent

UK GDPR Article 9(2)(a) - Consent

UK GDPR Article 6(1)(e) (lawful basis to permit the processing of personal data) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the data controllers.

UK GDPR Article 9(2)(h) (lawful basis to permit the processing of special category data) processing is necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services.

UK GDPR Article 9(2)(i) (lawful basis to permit the processing of special category data) processing is necessary for reasons of public interest in the area of public health, such  as protecting against serious cross-border threats to health.

UK GDPR Article 9(2)(j) (lawful basis to permit the processing of special category data) processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes.

The processing of personal data covered in this policy also adheres to Schedule 1 of the UK Data Protection Act 2018. In particular, the applied conditions under Schedule 1 are:

  • Condition 2 – Health or social care purposes
  • Condition 3 - Public health
  • Condition 4 – Research etc
  • Condition 6 - Statutory etc and government purposes

How will my personal data be used?

NHS NSS and PHS process your personal data for the below purposes:

  • To perform their public duties and functions in supporting the public healthcare system as outlined under the National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 for NHS NSS (e.g. management services to support the Scottish Government and Health Boards) and the Public Health Scotland Order 2019 for PHS (e.g. research).
  • To administer the processing of your LFT results.
  • To enable contact tracing.
    • To share the test outcome with other parties involved in this process, such as local Health Boards so they can provide you with appropriate advice and support.

Where your personal data is shared with third parties acting as data controllers, they are responsible for ensuring compliance with data protection law.

How will my personal data be shared?

Your personal data will only be shared with specific parties as part of this processing and on a need- to-know basis. Where special categories of personal data are shared, this is subject to suitable and specific measures to safeguard your rights and freedoms. NHS NSS and PHS may share your personal data with:

  • Your local Health Boards to carry out their public health duties
  • The GP of the person who tested positive
    • NHS Test and Protect service who undertake contact tracing to initiate contact tracing for positive cases
    • Other parties of the health and care system for monitoring and planning actions in response to COVID-19

Where positive tests become part of the medical records of the tested person, parties authorised to access your medical records will also have access to this information.

Information about Covid-19 LFT tests may be provided to the Scottish Government in an aggregated and anonymised format for the evaluation of the effectiveness of this testing, including operational performance, clinical and public health effectiveness.

Your school/ELC provider may need to access information about your LFT for certain purposes (e.g. stock management and incident reporting about the quality or safety of testing). Information submitted to the self-test digital journey portal is not shared with school/ELC provider and you may have to provide this information directly to these organisations. Your school and/or ELC provider should provide necessary contact details for reporting the information to all participants.

How long will my personal data be kept?

  • The test information processed by NHS Scotland is kept for as long as is required to provide you with direct care and to support NHS Scotland initiatives to fight COVID-19. Information held for direct care purposes is stored in line with the Scottish Government Health and Social Care Records Management Code of Practice 2020. This means such information will be held for up to 7 years before it is deleted.
  • When positive test results are added to your personal medical records, this will be retained on these records for your lifetime.

Where is my personal data stored?

Your data will be stored securely within the United Kingdom and safely accessed by authorised parties. We will not share your personal data outside the United Kingdom.

Is my personal data kept private and secure?

We have legal duties to keep information about you confidential. Strict rules apply to keep your information safe and comply with the Data Protection Act 2018, UK GDPR and organisational Data Protection policies. Appropriate technical and organisational measures are used to keep your data safe, including adherence to the NHS Scotland Information Security Policy framework, PHS/NSS Corporate Information Security Policies, PHS/NSS Information Security Acceptable Use Policy, NHSS Information Security and Cyber Security incident reporting and management processes and information governance training.

What Are My Rights?

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure.
  5. The right to restriction of processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated decision-making.
  9. The right to lodge a complaint with a supervisory body.

Exercising Your Rights

(1)  In relation to personal data processed by NHS NSS

If you have questions, complaints or you would like to make a data subject access request (DSAR) regarding how your personal data is collected and processed by NHS NSS, the contact information you need is noted below.

Website:   https://nhsnss.org/contact-us 
Email Address: nss.dataprotection@nhs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB 
Telephone: 0131 275 6000

For more information about your rights and how to invoke them in relation to your test results, visit the website at: https://nhsnss.org/how-nss-works/data-protection

(2)  In relation to personal data processed by PHS

If you have questions, complaints or you would like to make a data subject access request (DSAR) regarding how your personal data is collected and processed by NHS NSS, the contact information you need is noted below.

Website: Public Health Scotland
Email Address: phs.dataprotection@phs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB 
Telephone: 0131 314 5436

(3)  In relation to personal data processed by other parties

For any data processing that is not covered in this privacy notice, other involved organisations are responsible. Please refer to their privacy notices.

Contact details of the data controllers:

NHS National Services Scotland
Website:   https://nhsnss.org/contact-us 
Email Address: nss.dataprotection@nhs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB
Telephone: 0131 275 6000

Contact details of the NHS NSS Data Protection Officer (DPO)
Email Address: nss.dataprotection@nhs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB
Telephone: 0131 275 6000

Public Health Scotland
Website: https://www.publichealthscotland.scot/contact- us/
Email Address: phs.dataprotection@phs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB
Telephone: 0131 314 5436

Contact details of the NHS NSS Data Protection Officer (DPO)
Email Address: phs.dataprotection@phs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB
Telephone: 0131 314 5436

To raise a complaint with the Information Commissioner’s Office (ICO) as the supervisory body in the UK, contact:

Information Commissioner’s Office
Postal Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 
Telephone: 0303 123 1113                   
Website: www.ICO.org.uk

Last updated: 11 February 2021

Privacy
Did you find what you were looking for?

Why wasn't this information helpful

Limit to 250 characters.