Appendix C - COVID 19 Lateral Flow Tests
Privacy Notice for Lateral Flow Testing
Data protection principles
We will comply with data protection law, which states that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about
- Kept securely.
Identity and contact details of the Data Controller
Sidcot School: is the data controller any queries please email dpl@sidcot.org.uk
Description of the personal data that will be processed (Staff)
Your personal and special category will be processed as follows:
- Personal data processed:
- Full name
- Personal Phone number (if known)
- Job Role
- Gender
- Date of Birth
- Address & Postcode of residence
Special category data processed:
- Data concerning health:
- Ethnicity
- Date of test/s performed
- Time of test performed
- Lot number of test strip
- Result - Positive, Negative or Invalid
How we will collect the personal data
Data we already hold about you from your HR record:
- Full name
- Personal phone number (if recorded)
- Job Role
- Gender
- Date of Birth
- Address & Postcode
New data you will provide
- Test result
- Lot number of test strip
- If invalid, confirmation of repeat test
Description of the personal data that will be processed (Student)
Your personal and special category will be processed as follows:
Personal data processed:
- Full name
- Personal Phone number (if known)
- Gender
- Date of Birth
- Address & Postcode of residence
Special category data processed:
- Data concerning health:
- Ethnicity
- Date of test/s performed
- Time of test performed
- Lot number of test strip
- Result - Positive, Negative or Invalid
How we will collect the personal data
Data we already hold about you from your school record:
- Full name
- Gender
- Date of Birth
- Address & Postcode of
New data you will provide through Microsoft Forms:
- Test result
- Lot number of test strip
- If invalid, confirmation of repeat test
Purposes and legal basis for the processing of data
The table below shows what your personal data will be used for and the lawful basis that Sidcot School is using in order to process your data.
Data items |
Purpose |
GDPR: conditions for processing personal data |
GDPR: conditions for processing special category data |
DPA: conditions for processing special category data (only applicable if using Article 9 (b), (g), (h), (i) or (j) |
|
Full name Phone number Job Role Gender Date of Birth Address & Postcode of residence |
To verify your identify. |
Article 6 (e): Public task |
Not applicable |
Not applicable |
|
Data concerning health: o Ethnicity |
To test whether |
Article 6 (e): Public task |
Article 9 (h): health or social care |
DPA 2018: Schedule 1, part 1, 2, (2): |
|
Date of test/s performed Time of test performed Lot number of test strip Result - Positive, Negative or Invalid |
you have Covid-19. |
(with a basis in law) |
Preventive or occupational medicine Assessment of the working capacity of an employee Medical diagnosis Management of health and care systems |
||
Full name Job Role number (if known) Date of Birth Full Address Gender Ethnicity Test result Lot number of test strip If invalid, confirmation of repeat test |
To share your data with Public Health England. |
Article 6 (e): Public task |
Article 9 (i): Public interest in the area of public health |
To share your data with Public Health England. |
Recipients of the personal data (who your data shared with)
If you test positive for Covid-19, we will share your data with Public Health England (PHE).
The personal data items that are shared with PHE are:
- Full name
- Job Role (staff only)
- Date of Birth
- Full Address
- Gender
- Ethnicity
- Test result
- Lot number of test strip
- If invalid, confirmation of repeat test
For transparency, Sidcot may share statistical data with NHS England e.g. how many staff members have completed a test. No personal data is shared with NHS England.
International transfers
Your personal data is stored in the UK and replicated across multiple data centers in Europe. However, your personal data is not shared internationally by Sidcot School for any other processing.
Retention period
The data will be retained for a minimum of 14 days or until 1 calendar month after testing finishes.
Information about data subjects’ rights
The rights available align to the lawful basis used to process your personal data.
The table below provides an outline of the individual rights that you can enforce.
Processing condition |
Right to erasure |
Right to portability |
Right to rectification |
Right to restrict processing |
Right to object |
Right not to have automated decision making |
Public task |
No |
No |
Yes |
Yes |
Yes |
Yes |
For transparency, we are not using the lawful basis of consent for this processing therefore the right to withdraw consent is not applicable.
Measures in place to ensure data security
Your data will be stored on Microsoft 365, and thus it has been through very stringent security checks and balances. The data is encrypted at all stages and access to it is closely monitored and regulated.
Right to complain to the Supervisory Authority
You have the right to make a complaint if you feel unhappy about how we process your information.
We recommend contacting our Data Protection Lead at dpl@sidcot.org.uk initially to talk through any concerns that you have.
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Web: https://ico.org.uk/concerns/
- Phone: 0303 123 1113
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly.
Please refer to the website above for further advice.
Automated decision making, including profiling
No automated decision making, or profiling is involved.
Changes
Any changes to this Privacy Notice will be communicated to staff and students.
Contact details of the Data Protection Lead (DPL)
The primary role of the DPL is to ensure that Sidcot School processes personal data of staff, Students and any other individuals (also referred to as data subjects) in compliance with the applicable data protection laws and regulations.
The DPL for Sidcot School is: James Russell, Data Protection Lead & IT Development Director
Email address: dpl@sidcot.org.uk