On 28 September 2020, the Government passed into law a national Test and Trace Support scheme. From 12th October, a one-off payment of £500 or access to a discretionary fund will be available for eligible individuals. More information about this scheme can be found on the government website.
If you apply, we will need to process your personal data to assess whether you are eligible to receive financial support, and if so, to provide a payment to you. This Privacy Notice sets out what personal data we will use, how we will use it, and why we need to, when an applicant applies for this support.
The Department of Health and Social Care (DHSC) has commissioned NHS Test and Trace on behalf of the government and is the data controller for the purposes of providing Test and Trace data to Surrey Heath Borough Council.
Surrey Heath Borough Council are the data controller for the purposes of assessing eligibility, administering and making payments under the Test and Trace Support scheme.
New package to support self-isolation
If you have been told by the NHS to self-isolate, either because you have tested positive for COVID-19 or you have been in contact with someone who has tested positive, you may be entitled to some financial support during your self-isolation period.
What are Self-Isolation Payments?
People who are eligible will receive:
A £500 one-off Test and Trace Support payment or provision from the discretionary fund to remain at home to help stop the spread of the virus.
Categories of personal data we collect and process
We collect and process the personal data that you provide to us when completing your application for a self-isolation support payment, which may include:
- Full name;
- Full residential address;
- Email address;
- Mobile telephone number;
- Home telephone number;
- Proxy applicant details (as above where you may nominate someone else to complete this application on your behalf);
- Employer name and address;
- NHS notification number (the unique reference you will be given by NHS Test and Trace Service to self-isolate);
- Bank account details;
- Your National Insurance Number;
- Proof of self-employment e.g. recent business bank statement (within the last two months), most recent set of accounts or evidence of self-assessment
Source and categories of personal data
We will obtain data from the NHS Test and Trace Service to confirm that you have either tested positive for COVID-19 or you have been in close contact with someone who has tested positive for COVID-19. As this data is related to your health it is referred to as ‘special category data’.
You or your nominated representative will also provide us with additional personal data in relation to your application for a Self-Isolation Payment.
What we use your personal data for
We will carry out checks with the NHS Test and Trace Service and the Department for Work and Pensions (DWP), for verification purposes, Her Majesty’s Revenue and Customs (HMRC), for tax and National Insurance purposes, and potentially with your employer in validating your application.
Information relating to your application will also be sent to the DHSC to help understand public health implications, allow us to carry out anti-fraud checks and determine how well the scheme is performing.
We will not share this data with other organisations or individuals outside of Surrey Heath Borough Council for any other purpose.
We will provide information to HMRC in relation to any payments we make because Self-Isolation Payments are subject to tax and National Insurance contributions. If you are self-employed, you will need to declare the payment on your self-assessment tax return.
Our lawful basis for processing the personal data
We must have a legal basis to process your personal data. Our lawful basis in the processing that we’ll undertake in assessing your eligibility for, and in making any self-isolation payment to you, is based on a legal obligation.
Where we use personal information to confirm that someone is eligible for a self-isolation payment, the sections of the law that apply are:
- GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- GDPR Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare;
- Data Protection Act 2018 Schedule 1 Part 1 (2) - health or social care purposes
Separately, we have special permission from the Secretary of State for Health and Social Care to use confidential patient information without people’s consent for the purposes of diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases and other risks to public health.
This is known as a ‘section 251’ approval and includes, for example, using your test results if you test positive for COVID-19 to start the contact-tracing process.
The part of the law that applies here is section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.
You can find more information on this via the NHS Contact Tracing Privacy Notice here.
Data Processors and other recipients of your data
These are the recipients with which your personal data is shared:
Her Majesty’s Revenue and Customs (HMRC) for tax and National insurance purposes;
Your employer for verification checks purposes;
International Data Transfers and Storage
The Council does not share data with organisations outside of the European Economic Area (EEA), however the Council is moving some of its IT systems to cloud based solutions, this could mean that a cloud server may be housed outside of the EEA. Data must not be transferred to a Country or territory outside the EEA unless that Country or Territory protects the rights and freedoms of Data Subjects. Where the Council uses cloud based IT solutions it will always complete a Data Privacy Impact Assessment (DPIA) to identify exactly where the data is being stored and only when we are completely satisfied that the location is considered adequate by the member state will we adopt the service.
Personal data disposal and retention
We will only keep your personal data for as long as it is needed for the purposes of the COVID-19 emergency, and for audit and payment purposes.
Your rights as a data subject
By law, you have a number of rights as a data subject and this does not take away or reduce these rights. Your rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.
All information is processed in accordance with the Surrey Heath Borough Council data protection policy.
These rights are:
- Your right to get copies of your information – you have the right to ask for a copy of any information about you that is used.
- Your right to get your information corrected – you have the right to ask for any information held about you that you think is inaccurate, to be corrected
- Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
- Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
- Your right to get information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.
If you are unhappy or wish to complain about how your personal data is used as part of this programme, you should contact Surrey Heath Borough Council in the first instance,
If you are still not satisfied, you can complain to the Information Commissioners Office. Their website address is www.ico.org.uk and their postal address is:
We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level.
Data Protection Officer
Gavin Ramtohal, Head of Legal Services
Email address: firstname.lastname@example.org
Postal address: Surrey Heath House, Knoll Road, Camberley, Surrey, GU15 3HD
Telephone number: 01276 707100
Automated decision making or profiling
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Changes to our policy
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on our website. This privacy notice was last updated on 06 October 2020.