Privacy and the coronavirus pandemic

Privacy Notice relating to Covid-19

This privacy notice explains how Buckinghamshire Council will use personal data in response to the coronavirus pandemic.

Processing activity

Your data will be used to:

  • prevent or mitigate the impact of the virus
  • record people who may be vulnerable to the virus or otherwise require support due to the virus
  • identify people who may be vulnerable to the virus or otherwise require support due to the virus and targeting support where required
  • share information with other organisations to allow them to help people who need it
  • record details of volunteers who are willing to help us
  • share details of volunteers with other organisations to help with resourcing
  • share information with other organisations who are allowed to process confidential information in relation to Covid-19 purposes as defined by the Secretary of State
  • collect, receive and share data with other organisations as part of NHS Test and Trace and as part of monitoring of the virus, for instance, we will collect the name and contact details of customers/visitors to our libraries and this data may be shared with NHS Test and Trace where it is necessary, either because someone who has tested positive for Covid-19 has listed our premises as a place they visited recently, or because our premises have been identified as the location of a potential local outbreak of COVID-19
  • collect (including from external sources), store and transfer data for the purposes of the vaccination programme
  • record any Buckinghamshire Adult Learning staff or student who has chosen to take a Lateral Flow Test kit for use at home. Data (name, contact details and kit details) will be kept for 21 days only.
  • link (under certain conditions) NHS Test and Trace data with our Shielded Patient List data (and Government Digital Service “Incoming” data if appropriate) in order to identify clinically extremely vulnerable people (CEVs) that have come into contact with individuals recorded by NHS Test & Trace, and/or identify CEVs that have been directed to isolate, in both cases to offer them appropriate advice and direct care

Public Health will lead, if required, on surge testing that will include leaflet drops and door knocking at identified addresses within designated postcodes. We may then ask for your address on attending a Mobile Testing Unit but this will not be matched to any other data and will be destroyed at the end of the surge testing exercise.

Data sharing from Public Health England (PHE):

We receive personal identifiable data, relating to tests for coronavirus, from PHE as part of the national effort to protect the public from a communicable disease. This enables us to locally control and prevent the spread of coronavirus (COVID-19).

The data we receive (which can include name, date of birth, age, gender, telephone number, address, postcode, NHS number, ethnicity and COVID-19 test details) is what we need for our work to help control, understand and prevent the spread of coronavirus and is part of our responsibilities to protect the health of our residents.

Also, as part of a local contact tracing service, we will contact residents in the county who have tested positive for COVID-19 but have not been reached by the National Test & Trace Service. This activity will ensure any resident within the county who has tested positive for COVID-19 is quickly followed up, wherever possible. Where we have been unable to make successful contact, we will share data with the Buckinghamshire Fire and Rescue Service who will visit the person’s registered address, on our behalf, and attempt to make contact in person. The aim being to improve the overall effectiveness of the national test, trace, isolate strategy, thereby reducing the spread and impact of the COVID-19 outbreak.

More information is available on PHE’s privacy information page.

Data requirements

Depending on the service you are using this data may include: 

  • Name
  • Contact details (e.g. phone number, email address)
  • Address
  • Date of birth
  • NHS number
  • Any information which could be used to identify people who are vulnerable to the virus or otherwise require support due to the virus (e.g. health information)

Any information which illustrates a person’s needs (e.g. health information)

Lawful basis for processing

The lawful bases for processing your personal data are:

  • Legal Obligation – we need to process the personal data to comply with a statutory obligation (Article 6(1)(c)) 

The Health Service (Control of Patient Information) Regulations 2002 r3(4)

Health and Safety At Work Act 1974 s2 & s3

The Civil Contingencies Act 2004

  • Public Task – we need to process the personal data in the exercise of official authority (public functions and powers that are set out in law) or to perform a specific task in the public interest that is set out in law (Article 6(1)(e)) as supplemented by DPA2018 s8(c))

The Civil Contingencies Act 2004

The Local Government Act 1972 s139

  • Substantial Public Interest as supplemented by DPA2018 s10(3) and Schedule 1 Part 2 Para 6
  • National Health Service Act 2006, s2B(1)
  • Part 2 of the Local Authorities (Public Health Functions and Entry to Premises by Local Healthwatch Representatives) Regulations 2013 (SI 2013/351)

The Civil Contingencies Act 2004

  • Consent (Article 6(1)(a))

Data sharing

We may share data with the following:

  • Other Council services, public bodies and authorities
  • Central Government
  • Emergency services
  • NHS agencies, including NHS Test and Trace
  • Healthcare organisations
  • Utility companies
  • Voluntary organisations/Volunteers

Please refer to our Corporate Privacy Policy for further details of how we process your personal data and your rights.