The Scottish Government (NHS Test and Protect), in partnership with the UK Department of Health and Social Care, Local Authorities and the NHS Scotland, is responsible for the overall delivery of Coronavirus (COVID-19) Lateral Flow Device (LFD) testing of staff in primary, secondary and special schools and Daycare of Children services: Early Learning and Childcare (ELC) and School Aged Childcare (SAC) settings and secondary school aged pupils (S1-S6) in Scotland.

The testing of asymptomatic people can support education settings to identify positive cases, break chains of transmission and reduce risks in settings.

Scope of this privacy notice

This privacy notice covers the processing of personal data of staff in primary, secondary and special schools and Early Learning and Childcare (ELC) or school aged childcare (SAC) settings, and secondary school aged pupils (S1-S6), by the Department of Health and Social Care, NHS National Services Scotland (NHS NSS) and Public Health Scotland (PHS) and schools and ELC or SAC settings.

This privacy notice provides you with information about how your personal data will be collected and used in connection with Coronavirus (COVID-19) Lateral Flow Device (LFD) testing. It covers the collection and use of your personal data, from providing the LFD data to the test results being recorded and processed.

As part of this testing, different organisations may require a different level of information about your LFD data, including the Department of Health and Social Care (DHSC) and schools/ELC or SAC settings. Please refer to the relevant privacy notices if you want to know more about the uses of your personal data by other organisations. Every organisation involved in this data processing is independently responsible for complying with the applicable data protection legislation.

For further privacy information refer to:


DHSC Privacy Notice

  1. Table of contents

Who am I giving my personal data to?

If you (or your parent/legal guardian) decide to participate in this LFD process, you will need to submit the results of your self-administered Coronavirus (COVID-19) lateral flow device tests through the DHSC LFD self-test digital journey portal. DHSC, in partnership with the Scottish Government, is the data controller in relation to this data processing. More information can be found at GOV.UK Coronavirus (COVID-19) testing: privacy information.

For individuals based in Scotland, in line with mandatory notifiable disease reporting regulations and the public tasks of NHS National Services Scotland (NSS) and Public Health Scotland, LFD data submitted through the digital journey portal will flow through the National Pathology Exchange (NPEx) (a data processor for DHSC) into NSS, who safely and securely store the provided data for future use for public health purposes. Public Health Scotland (PHS) also has access to this data to perform their public functions.

Scottish Government, Local Authorities (schools and ELC or SAC settings), NHS NSS and PHS are data controllers for the below purposes.


What is the purpose of processing my personal data?

Participating in the LFD programme is voluntary. The data collected is necessary to enable the administration of the Coronavirus (COVID-19) test directly to you without relying on a test centre. It also enables the involved parties to perform their public duties in managing the Coronavirus (COVID-19) public health outbreak as indicated in the table below.

As indicated in the table below, each of the organisations involved, play a different role in this process; in partnership, they will process your personal data for the below purposes:

  • to perform their public duties and functions (for more details refer to legal basis below)
  • to administer the processing of your LFD results
  • to enable contact tracing
  • to share the test outcome with other parties involved in this process, such as local Health Boards so they can provide you with appropriate advice and support.

Roles and responsibilities of the data controllers

Organisation (Data controller) Role within the Test & Protect Programme Access to personal data
Scottish Government (Scottish Ministers) The Scottish Government provides strategic direction and leadership for the Test and Protect Programme, as per the duty of Scottish Ministers to protect public health. No. The Scottish Government do not have access to personal identifiable data. 
Department of Health and Social Care (England) Is responsible for the overall delivery of COVID-19 Lateral Flow Testing (LFD) as part of the UK Testing programme.  Yes
Local Authorities/ Private Childcare provider  In partnership with the Scottish Government and DHSC, are responsible for the overall delivery of COVID-19 Lateral Flow Device Testing (LFD) of staff in primary, secondary and special schools and ELC and SAC settings and secondary school aged pupils (S1-S6) in Scotland.  Yes
Public Health Scotland (PHS) Responsible for performing their statutory public functions and tasks, ie research, statistics and management of outbreaks. Decides on analytical methods and reporting in its role as an independent official statistics producer. Yes, on a need-to-know basis only.
The Common Services Agency (NHS National Services Scotland - NHS NSS) Responsible for:
  • hosting and administering the secure database on NHS secure servers which receives the LFD data
  • linking data to the Test and Protect Case Management System (CMS) for initiating contact tracing on positive results
  • linking data to the NSS Data Hub for national reporting of aggregated and anonymised results
  • providing feedback on incident reporting and outbreaks
  • linking LFD data to medical records
Yes, on a need-to-know basis only.

What categories of personal data will be collected and processed?

The following personal data will be collected directly from you (or your parent/legal guardian):

  • Identity information
    • Last name
    • First name
    • Date of birth
    • Gender
    • Ethnic group
    • Occupation/profession/job title (ONS classification)
  • Contact information
    • Area of residence
    • First line of address
    • Postcode
    • Contact mobile number
    • Contact email address
  • Health information
    • Covid-19 test result (select from positive, negative or void)
  • Information about the Covid-19 test you have taken
    • Test kit ID number
    • Date test taken
  • Other
    • Name or postcode of the school or ELC or SAC setting
    • Reason for taking the test (Testing for an education provider - like a school or college)

The following personal data will be collected from other sources:

  • Community Health Index (CHI) number – where this is not provided by you, NHS NSS may need to match your details with the CHI database for the positive tests based on the information kept by NHS NSS. This is necessary to ensure that your records are accurate and kept updated.

In the event of a positive LFD test you should book a PCR test to confirm the results. The involved parties in the PCR process will provide you with information about the processing of your personal data in this case.


What happens if I choose not to provide the personal data requested?

This privacy notice covers the LFD Covid-19 weekly testing of staff and secondary school aged pupils (S1-S6) for rapid identification of asymptomatic positive cases to reduce onward transmission within schools and ELC or SAC settings. This testing programme, alongside other protective measures such as physical distancing and handwashing, helps reduce the risks of coronavirus in education settings.

Staff and pupil participation in LFD testing is voluntary. It is the responsibility of the participating schools / ELC or SAC settings to ensure that that they obtain the appropriate and valid consent (eg from the participants or their parents/legal guardians). People who decline to participate in twice-weekly contact testing may still attend school/ELC or SAC settings, provided they continue to follow national guidance on symptomatic testing and self-isolation.

In order to submit the LFD data to the LFD portal, you will need to provide personal data.


What is the lawful basis for collecting, storing and using my data?

The legal basis for each of the organisations involved in processing your personal data or making decisions about it are:

Organisation Legal basis
Scottish Government

Necessary for performance of a task carried out in the public interest on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 6(1)(e))

Necessary for reasons of substantial public interest for statutory and government purposes on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(g))

Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of section 1 of The Public Health etc. (Scotland) Act 2008 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(h)).

Necessary for reasons of public interest in the area of public health on the basis of The Public Health etc. (Scotland) Act 2008 section 1 (Duty of Scottish Ministers to protect public health) (UK GDPR Art 9(2)(i))

Necessary for scientific research or statistical purposes in the public interest (UK GDPR Art 9(2)(j))

NHS NSS and PHS

UK General Data Protection Regulation (GDPR) Article 6(1)(e) (lawful basis to permit the processing of personal data) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the data controllers.

UK GDPR Article 9(2)(h) (lawful basis to permit the processing of special category data) processing is necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services.

UK GDPR Article 9(2)(i) (lawful basis to permit the processing of special category data) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

UK GDPR Article 9(2)(j) (lawful basis to permit the processing of special category data) processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes.

Local Authorities or Private Childcare provider (including schools and ELC or SAC settings)

UK General Data Protection Regulation (GDPR) Article 6(1)(e) (lawful basis to permit the processing of personal data) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the data controllers.

UK GDPR Article 9(2)(j) (lawful basis to permit the processing of special category data) processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes.

DHSC

DHSC's legal basis for processing your personal data is:

  • GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • GDPR Article 9(2)(h) – the processing is necessary for the management of health/social care systems or services
  • GDPR Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health
  • DPA 2018 – Schedule 1, Part 1, (2)(2)(f) – health or social care purposes

Other organisations involved in processing your data (such as NHS Digital) will be doing so either with an agreement in place with the data controllers (eg DHSC) to provide that service, or with a legal basis of their own).

The processing of personal data covered in this policy also adheres to Schedule 1 of the UK Data Protection Act 2018. In particular, the applied conditions under Schedule 1 are:

  • Condition 2 - Health or social care purposes
  • Condition 3 - Public health
  • Condition 4 - Research etc
  • Condition 6 - Statutory etc and government purposes

How will my personal data be shared?

Your personal data will only be shared with specific parties as part of this processing and on a need-to-know basis. Where special categories of personal data are shared, this is subject to suitable and specific measures to safeguard your rights and freedoms. NHS NSS and PHS may share your personal data with:

  • Your local Health Boards to carry out their public health duties
  • The GP of the person who tested positive
  • NHS Test and Protect service who undertake contact tracing to initiate contact tracing for positive cases
  • Other parties of the health and care system for monitoring and planning actions in response to COVID-19

Where positive tests become part of the medical records of the tested person, parties authorised to access your medical records will also have access to this information.

Information about Covid-19 LFD tests may be provided to the Scottish Government in an aggregated and anonymised format for the evaluation of the effectiveness of this testing, including operational performance, clinical and public health effectiveness.

Your school/ELC or SAC setting may need to access information about your LFD for certain purposes (eg stock management and incident reporting about the quality or safety of testing). Information submitted to the self-test digital journey portal is not shared with school/ELC or SAC setting and you may have to provide this information directly to these organisations. Your school and/or ELC or SAC setting should provide necessary contact details for reporting the information to all participants.


How long will my personal data be kept?

The test information processed by NHS Scotland is kept for as long as is required to provide you with direct care and to support NHS Scotland initiatives to fight COVID-19. Information held for direct care purposes is stored in line with the Scottish Government Health and Social Care Records Management Code of Practice 2020. This means such information will be held for up to 7 years before it is deleted.

When positive test results are added to your personal medical records, this will be retained on these records for your lifetime.

The information processed by your school/ELC or SAC setting will be kept in line with the Council's privacy notice.

The information processed by DHSC will be kept in line with their privacy notice, for up to 8 years, in accordance with the Records Management Code of Practice for Health and Social Care 2016.


Where is my personal data stored?

Your data will be stored securely within the United Kingdom and safely accessed by authorised parties. We will not share your personal data outside the United Kingdom.


Is my personal data kept private and secure?

We have legal duties to keep information about you confidential. Strict rules apply to keep your information safe and comply with the Data Protection Act 2018, UK GDPR and organisational Data Protection policies.

Appropriate technical and organisational measures are used to keep your data safe, including adherence to the NHS Scotland Information Security Policy framework, PHS/NSS Corporate Information Security Policies, PHS/NSS Information Security Acceptable Use Policy, NHSS Information Security and Cyber Security incident reporting and management processes and information governance training.


What are my rights?

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restriction of processing
  • the right to data portability
  • the right to object
  • rights in relation to automated decision-making
  • the right to lodge a complaint with a supervisory body.

For more information about how to exercise your rights with NHS Scotland, visit How the NHS handles your personal health information.

For more information about your rights and how to invoke them in relation to your test results, visit NHS National Services Scotland.


Data Controllers contact details

If you have questions, complaints or you would like to make a data subject access request (DSAR) regarding how your personal data is collected and processed by the data controllers, use the contact information below.

NHS National Services Scotland
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB

Public Health Scotland
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB

Scottish Government
The Scottish Government Data Protection Officer
Victoria Quay, Commercial Street
Edinburgh
EH6 6QQ

Scottish Local Authorities

Links to Scottish Local Authority websites can be found on the COSLA website.

Data Protection Officers' contact details are available from https://protect.scot/local-authorities.

DHSC

DHSC's Data Protection Officers details are available at Testing for coronavirus: privacy information (www.gov.uk).

Email: data_protection@dhsc.gov.uk


In relation to personal data processed by other parties

For any data processing that is not covered in this privacy notice, other involved organisations are responsible. Please refer to their privacy notices.


Complaints

To raise a complaint with the Information Commissioner's Office (ICO) as the supervisory body in the UK, contact:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow, Cheshire
SK9 5AF

This notice was last updated March 2021.