NHS Test and Trace has been set up by Public Health England to help manage the process of identifying and contacting people who may have been infected with COVID-19.
The purposes of Test and Trace are to:
- enable patients with COVID-19 to provide the details of people they have been in close contact with and who may have been infected with coronarvirus
- manage the process of tracing these contacts to find out if they have any COVID-19 symptoms and if so, to provide advice on how to seek help
- help monitor the numbers of people infected with COVID-19 and the numbers of contacts who have been traced
What information is collected and why
Test and Trace needs to collect personal data to trace the contacts of people with COVID-19.
The information about people with COVID-19 comes from the hospital and laboratory test reports sent to Public Health England.
Once the data is received, Test and Trace will contact these people by text or email and ask them to confirm their:
- full name
- date of birth
- NHS Number
- home postcode and house number
- telephone number and email address
- COVID-19 symptoms, including when they started and their nature
They are also asked to provide the contact details of anyone they have been in close contact with.
Test and Trace will then text or email the contact and ask them to confirm or provide:
- their full name, date of birth and contact details
- details of any COVID-19 symptoms they may have had
This information is used to provide them with advice on self-isolation and how to protect themselves and others from COVID-19.
How the information is used
Working with Public Health England to provide NHS Test and Trace is the Department of Health and Social Care, which is responsible for coordinating the national response to the coronarvirus pandemic.
Department of Health and Social Care has instructed the following organisations to help with Test and Trace:
- The NHS Business Services Authority, an arm’s-length body of the Department of Health and Social Care, which is managing the contracts with NHS Professionals, Serco UK and SITEL Group
- NHS Professionals, a limited company owned by the Department of Health and Social Care, which is recruiting and managing registered medical professionals to trace and provide public health advice to the contacts of people with COVID-19
- Serco UK, a private company, which is providing additional staff to call the contacts of people with COVID-19 and provide advice on self-isolation
- SITEL Group, a private company, which is also providing additional staff to call the contacts of people with COVID-19 and provide advice on self-isolation
- Amazon Web Services, a private company, which is providing the secure storage location for the information collected by NHS Test and Trace
These organisations are only permitted to use information collected by NHS Test and Trace to help with the COVID-19 contact tracing. They are data processors acting on the instructions of the Department of Health and Social Care and cannot use the contract tracing information for any other purpose.
How the information is protected
The personal data collected by NHS Test and Trace held on secure computer systems and on AWS servers.
The information can only be seen by:
- the Public Health England staff working on NHS Test and Trace
- the contact tracers from Local Authority public health teams, who can only see the information of people with COVID-19 and their contacts for their local area
- the contact tracers working for NHS Professionals, who can only see the information of the people with COVID-19 and the contacts they have been instructed to call
- the contact tracers working for Serco UK and SITEL Group, who can only see the information of the contacts they have been instructed to call
All the Public Health England, Local Authority public health team, NHS Professionals, Serco UK and SITEL Group staff working on NHS Test and Trace have been trained to protect the confidentiality of people with COVID-19 and their contacts.
The staff working for Amazon Web Services are not able to see any of the information collected by NHS Test and Trace.
The information collected by NHS Test and Trace is held in the UK only.
No information that could identify any person with COVID-19 or their contacts will ever be published by Public Health England or any of the organisations working with it on NHS Test and Trace.
How long the information is kept
Personal data of people with COVID-19 symptoms is kept by Public Health England for 20 years.
Personal data of people who do not have any symptoms is kept by Public Health England for 5 years.
This information needs to be kept for this long because COVID-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.
NHS Test and Trace and the law
The GDPR allows Public Health England to use the personal data collected by NHS Test and Trace without the consent of the individual.
The sections of the GDPR that apply are:
- Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
As information about health is a special category of personal data, a further section of the GDPR applies:
- Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare’
Public Health England also has special permission from the Secretary of State for Health and Social Care to use personal data without people’s consent where this is in the public interest. This is known as ‘Section 251’ approval.
Section 251 of the National Health Service Act 2006 and the Health Service (Control of Patient Information) Regulations 2002 allow the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes.
In practice, this means the person responsible for the information can disclose confidential patient information without consent to an applicant without being in breach of the common law duty of confidence.
Duties on employers or organisations
The current government guidance doesn’t have a legal obligation on an employer to provide personal data to the authorities.
The guidance states that if an outbreak did occur at a setting, Public Health England’s local Health Protection Teams will conduct a rapid investigation and will advise the setting on the most appropriate action to take.
If you are requested to provide personal data of other individuals, then the legal basis for the sharing of the data will the same as above (Article 6(1)(e) and Article 9(2)(i).
Digital Contact Tracing (Data Protection Bill)
The Joint Committee on Human Rights proposed the Digital Contact Tracing (Data Protection Bill); however, the Secretary of State for Health, Matt Hancock, declined to adopt the Bill, saying that new legislation to protect data gathered under the Test Trace Isolate programme was not necessary.
Harriet Harman, the Chair of the Committee, wrote to Matt Hancock on the 29th of May and reiterated her concerns. See the letter here: https://committees.parliament.uk/publications/1284/documents/11453/default/
Jacob Rees-Mogg, the Leader of the House of Commons, has also declined to put the Bill before the House, saying that he supported Matt Hancock’s decision.
The letter from Rees-Mogg can be found here:https://committees.parliament.uk/publications/1283/documents/11444/default/