Coronavirus Antibody Testing: Privacy Information
Published June 2020
An antibody test can tell someone whether they have had the virus that causes Covid-19 in the past, by analysing a blood sample. A positive antibody test demonstrates that someone has developed antibodies to the virus. The presence of antibodies signals that the body has staged an immune response to the virus.
Covid-19 is a new disease, and our understanding of the body’s immune response to it is limited. We do not know, for example, how long an antibody response lasts, nor whether having antibodies means you can’t transmit the virus to others. Our understanding of the virus will grow as new scientific evidence and studies emerge.
How your data will be used
We will use the data you supply to arrange for you to receive antibody test at one of the agreed testing sites (this may be within your employer’s premises). The results of your test will be communicated to you and your employer. The results will not go on the employment record. However, your GP Practice will be able to access the result should these be required by them for your care and treatment.
Data gathered during the antibody testing programme will also be securely transferred to a central database which is held and controlled by NHS England. All information in this database is held securely, and access to this information is tightly governed, in line with Data Protection requirements.
The anonymised results from the testing programme will be used to undertake research which will provide information on the prevalence of COVID-19 in different regions of the country and help us better understand how the disease spreads.
NHS Surrey Heartlands Clinical Commissioning Group, on behalf of the Surrey Resilience Forum, have commissioned the system for undertaking the antibody testing programme within Surrey, and participating organisations within the East Berkshire, North East Hampshire & Farnham, and Surrey Heath CCG areas (covered as third parties in the service contract). Surrey Heartlands CCG, acting on behalf of these third parties, is therefore the Data Controller of the data gathered during the antibody testing programme for the purposes of Data Protection legislation. The CCG decides what information is required and how it needs to be used.
Surrey Heartlands CCG will undertake validation checking on the NHS number you supply when registering on the IT portal, to ensure that your details are accurately recorded.
NHS England are the Data Controller for data gathered during the antibody testing programme once it has been transferred to them by the CCG for the purposes of undertaking national research.
Other organisations will also support the delivery of the antibody testing programme and the related research but can only act on instructions provided to them by the CCG or NHS England. These organisations are known as Data Processors. The main data processor is “C & C Technology and Consulting Limited”, with sub-processing by Google Ireland Ltd.
C & C Technology and Consulting Limited are working towards completing the Data Security and Protection Toolkit (DSPT) and will provide Surrey Heartlands CCG with fortnightly updates of completion which will be monitored by the CCG. C&C have started the process of ISO27001, DSPT, Cyber Essentials and Cyber Essentials Plus accreditations. They are working with a third party, Defence Watch, to achieve Cyber Essentials in July 2020, ISO27001 and DSPT by 30th September 2020, and Cyber Essentials Plus by June 2021. They are undertaking this in line with the DSPT Action Plan requested by and supplied to Surrey Heartlands CCG. The CCG has received written confirmation that all data uploaded to the system is encrypted to AES256 standard when at rest and in transit. The platform underwent penetration and vulnerability testing in April 2020. C&C undertake internal security and testing on a quarterly basis, with an external penetration test undertaken annually. C&C have full monitoring in place on each platform which provides the CCG with system logging and alerts, as well as audit trails for monitoring purposes. C&C have applied and received their ODS code (8KL60) and have successfully registered on the DSPT.
What personal data we collect
The details we need from you to arrange testing and for the research are:
- First and last name
- Date of Birth
- NHS Number
- Email address
- Phone number
- Service / Team
- Work Location
- Previous Covid-19 infection results
- Health data (including the results of your tests and whether you are suffering from certain symptoms)
Purposes your information will be used for
Your data will be used for the following purposes:
- Arranging for you to receive antibody testing
- National and local research which will provide information on the prevalence of COVID-19 in different regions of the country and help us better understand how the disease spreads
What types of information we use
To allow us to undertake the activities above we will use different types of information, this includes:
- Identifiable Personal Data
- Personal Data (for example your name, contact details, or date of birth)
- Special Categories of Personal Data (which includes data relating to ethnicity and data relating to physical health)
- Non-Identifiable Personal Data – this includes ‘Pseudonymised Personal Data’ where personal data which could be used to identify you has been replaced with a pseudonym.
The data used for research will always be pseudonymised prior to sharing with NHS England.
Data Processors and other recipients of your data
Organisations who use your data and information on behalf of a Data Controller can only do so with clear instructions from them. They cannot use your data and information for any other purpose.
Any use of information that is not covered by the instructions from the Data Controller would be unlawful, unless the Data Controller agrees and provides written permission to do this.
The CCG have appointed Data Processors, as indicated below, to carry out these activities:
- Supplier of the Trustwide system used to gathering data required to arrange testing – C&C Technology and Consulting Limited
- Organisations involved in delivery of the Berkshire and Surrey Pathology Service, which will provide laboratories for the antibody testing
Other recipients of your data may include:
- Your employer
- The Department of Health and Social Care (DHSC)
- NHS England
- Organisations that undertake pseudonymisation of data on behalf of the CCG or NHS England
Any employee completing the request form for Antibody Testing is providing implied consent to satisfy the Common Law: Duty of Confidentiality.
For processing data for testing and re-identification (if required to be sent to GP practices for direct care), the lawful basis under GDPR will be:
- GDPR Article 6(1)(e)
“the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
- GDPR Article 9(2)(h)
“the processing is necessary for the provision of medical or social care or treatment” is also met.
The CCG’s official authority arises from the NHS Act 2006, Health & Social Care Act 2012, the Civil Contingencies Act, and the Coronavirus Act 2020. The lawful basis will apply to authorised processors of the CCG.
Common Law Duty of Confidentiality expects that a duty of confidence is applied and that information should not be disclosed without the data subjects consent.
The Secretary of State for Health and Social Care has issued a general notice under the Health Service Control of Patient Information Regulations 2002 (CPOI) to support the response to COVID-19. The notice requires NHS Trusts, Local Authorities and others to process confidential patient information (CPI) without consent for COVID-19 public health, surveillance and research purposes. The notice is currently in force until 30 September 2020 and provides a temporary legal basis to avoid a breach of confidentiality for COVID-19 purposes. At the time of expiry of the COPI notice, NHSE will apply for section 251 under the NHS Act 2006, for this activity.
The Health Research Authority (HRA) recommends that research organisations that are public authorities rely on public interest (Article 6(1)(e)) as their legal basis. Explicit consent under the GDPR is not necessary for health and care research.
Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research.
Other organisations involved in processing your data will be doing so either with an agreement in place with the CCG or DHSC / NHS England.
Your rights under Data Protection Act 2018 and GDPR
By law, you have a number of rights as a data subject, such as the right to access information held about you.
This testing programme does not take away or reduce these rights, so you can still request (for example), from the organisations named in this notice, copies of the information they hold about you.
If you are unhappy or wish to complain about how your information is used as part of this programme, you should contact the CCG in the first instance to resolve your issue – please see our website for further information on how to do this.
However you are entitled to also contact the Information Commissioner’s Office (ICO) if you have concerns about the way your information has been used and you can find their contact them by:
- Visiting their website: ico.org.uk
- Telephoning them on 0303 123 1113
Retention and storage of your information
The CCG holds records containing personal data for a limited amount of time and then securely destroys these when they are no longer required. The CCG will ensure that records are held in accordance with the guidance and retention schedules included within the 2016 Records Management Code of Practice for Health and Social Care. Please see our Records Management Policy for further information.
This means we will keep your personal information for up to 8 years before we dispose of it.
Information that identifies you will be stored securely, and processed in, the UK. Information that does not, and cannot, identify you may be stored and processed outside of the UK. For example, information purely about the number of tests conducted, or the number of outcomes from tests.
Data Protection Officer
Under data protection legislation the CCG is required to have a Data Protection Officer (DPO) and it is their role to:
- Inform and advise the organisation and its employees about their obligations to comply with applicable data protection legislation;
- Support and monitor compliance with applicable data protection legislation;
Be the first point of contact for individuals whose data is being processed.
The Data Protection Officer for the CCG is Daniel Lo Russo
We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your data.
This version was last updated by the Deputy DPO on the 16 June 2020.