• Appendix C - COVID 19 Lateral Flow Tests

Appendix C - COVID 19 Lateral Flow Tests

Privacy Notice for Lateral Flow Testing

Data protection principles

We will comply with data protection law, which states that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about
  • Kept securely.

Identity and contact details of the Data Controller

Sidcot School: is the data controller any queries please email dpl@sidcot.org.uk

Description of the personal data that will be processed (Staff)

Your personal and special category will be processed as follows:

  • Personal data processed:
  • Full name
  • Email
  • Personal Phone number (if known)
  • Job Role
  • Gender
  • Date of Birth
  • Address & Postcode of residence

Special category data processed:

  • Data concerning health:
  • Ethnicity
  • Date of test/s performed
  • Time of test performed
  • Lot number of test strip
  • Result - Positive, Negative or Invalid

How we will collect the personal data

Data we already hold about you from your HR record:

  • Full name
  • Email
  • Personal phone number (if recorded)
  • Job Role
  • Gender
  • Date of Birth
  • Address & Postcode

New data you will provide

  • Test result
  • Lot number of test strip
  • If invalid, confirmation of repeat test

Description of the personal data that will be processed (Student)

Your personal and special category will be processed as follows:

Personal data processed:

  • Full name
  • Email
  • Personal Phone number (if known)
  • Gender
  • Date of Birth
  • Address & Postcode of residence

Special category data processed:

  • Data concerning health:
  • Ethnicity
  • Date of test/s performed
  • Time of test performed
  • Lot number of test strip
  • Result - Positive, Negative or Invalid

How we will collect the personal data

Data we already hold about you from your school record:

  • Full name
  • Email
  • Gender
  • Date of Birth
  • Address & Postcode of

New data you will provide through Microsoft Forms:

  • Test result
  • Lot number of test strip
  • If invalid, confirmation of repeat test

Purposes and legal basis for the processing of data

The table below shows what your personal data will be used for and the lawful basis that Sidcot School is using in order to process your data.

Data items

Purpose

GDPR:

conditions for

processing

personal data

GDPR:

conditions for

processing special

category data

DPA: conditions for processing special category data

(only applicable if using Article 9 (b),

(g), (h), (i) or (j)

Full name

Email

Phone number

Job Role

Gender

Date of Birth

Address & Postcode of residence

To verify your identify.

Article 6 (e): Public task

Not applicable

Not applicable

Data concerning health:

o Ethnicity

To test whether

Article 6 (e): Public task

Article 9 (h): health or social care

DPA 2018: Schedule

1, part 1, 2, (2):

Date of test/s performed

Time of test performed

Lot number of

test strip

Result - Positive,

Negative or Invalid

you have Covid-19.

(with a basis in law)

Preventive or occupational

medicine

Assessment

of the working capacity of an employee

Medical

diagnosis

Management

of health and care systems

Full name

Job Role

number (if known)

Date of Birth

Full Address

Gender

Ethnicity

Test result

Lot number of test strip

If invalid, confirmation of repeat test

To share your data with Public Health

England.

Article 6 (e): Public task

Article 9 (i): Public interest in the area of public health

To share your data with Public Health England.

Recipients of the personal data (who your data shared with)

If you test positive for Covid-19, we will share your data with Public Health England (PHE).

The personal data items that are shared with PHE are:

  • Full name
  • Job Role (staff only)
  • Date of Birth
  • Full Address
  • Gender
  • Ethnicity
  • Test result
  • Lot number of test strip
  • If invalid, confirmation of repeat test

For transparency, Sidcot may share statistical data with NHS England e.g. how many staff members have completed a test. No personal data is shared with NHS England.

International transfers

Your personal data is stored in the UK and replicated across multiple data centers in Europe. However, your personal data is not shared internationally by Sidcot School for any other processing.

Retention period

The data will be retained for a minimum of 14 days or until 1 calendar month after testing finishes.

Information about data subjects’ rights

The rights available align to the lawful basis used to process your personal data.

The table below provides an outline of the individual rights that you can enforce.

Processing condition

Right to erasure

Right to portability

Right to rectification

Right to restrict

processing

Right to object

Right not to have

automated

decision making

Public task

No

No

Yes

Yes

Yes

Yes

For transparency, we are not using the lawful basis of consent for this processing therefore the right to withdraw consent is not applicable.

Measures in place to ensure data security

Your data will be stored on Microsoft 365, and thus it has been through very stringent security checks and balances. The data is encrypted at all stages and access to it is closely monitored and regulated.

Right to complain to the Supervisory Authority

You have the right to make a complaint if you feel unhappy about how we process your information.

We recommend contacting our Data Protection Lead at dpl@sidcot.org.uk initially to talk through any concerns that you have.

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly.

Please refer to the website above for further advice.

Automated decision making, including profiling

No automated decision making, or profiling is involved.

Changes

Any changes to this Privacy Notice will be communicated to staff and students.

Contact details of the Data Protection Lead (DPL)

The primary role of the DPL is to ensure that Sidcot School processes personal data of staff, Students and any other individuals (also referred to as data subjects) in compliance with the applicable data protection laws and regulations.

The DPL for Sidcot School is: James Russell, Data Protection Lead & IT Development Director

Email address: dpl@sidcot.org.uk