PHE also reveals outsourcers Serco and Sitel will process sensitive information and claims length of retention is ‘because Covid-19 is a new disease’
Personal data from the NHS Test and Trace programme will be kept for 20 years and health secretary Matt Hancock has provided special exemption for the scheme to use sensitive information without citizens’ consent.
The privacy notice for the programme, which launched yesterday, not only cites the sections of the General Data Protection Regulation pertaining to use of data in the public interest or for delivery of public services, but also indicates that Hancock has provided Public Health England with “special permission… to use personally identifiable information without people’s consent, where this is in the public interest”.
Personal data – on those who have tested positive for Covid-19 – will initially be provided to the programme by Public Health England. Contact tracers will then get in touch with these people to obtain or confirm their full name, date of birth, sex, NHS number, full home address, telephone number, email address, and a history of their coronavirus symptoms. Tracers will also ask for contact details of anyone to have come into close contact with those who have tested positive.
Personal data on people that have suffered symptoms will be kept by PHE for 20 years. Information on those who have been in close contact with confirmed cases but have shown no symptoms themselves will be retained for five years.
The privacy notice said: “This information needs to be kept for this long because Covid-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.”
Number of contact tracers recruited for Test and Trace scheme
Serco and Sitel Group
Outsourcers appointed by PHE to help meet the recruitment requirements of Test and Trace
End date of emergency order issued last month by Matt Hancock, instructing NHS organisations to process and share confidential data
Length of time personal data will be kept on people who have been in contact with coronavirus cases did not develop symptoms
Amazon Web Services
Cloud firm tasked with storing and securing data
The data will be stored in an Amazon Web Services cloud environment. But, although the notice indicates that the tech firm will is allowed to process the data, its “staff… are not able to see any of the information collected”.
“Information… is held on computer systems, which have been tested to make sure they are secure and are being kept up-to-date to make sure they are safe from viruses and hacking,” PHE said.
In addition to Public Health England – which is the data controller – information will also be processed by the Department of Health and Social Care, and two of its arm’s-length bodies: NHS Business Services Authority; and NHS Professionals – a recruitment company owned by DHSC.
Because of the “unprecedented” hiring demands of the programme – which has required the rapid recruitment of 25,000 tracers, PHE has “instructed” two outsourcers, Serco and Sitel Group, to provide “additional staff”.
The two firms are consequently listed as data processors.
“The contact tracers working for Serco UK and Sitel Group… can only see the information of the contacts they have been instructed to call,” PHE said. “Serco UK and Sitel Group staff working on NHS Test and Trace have been trained to protect the confidentiality of people with Covid-19 and their contacts.”
It added: “No information that could identify any person with COVID-19 or their contacts will ever be published by Public Health England or any of the organisations working with it on NHS Test and Trace.”
Rights and restrictions
Citizens whose data is held by the scheme have the right to ask for a copy of their personal information, and for inaccurate info to be corrected or restricted in its use.
They can also object to their data being used, and can ask for its deletion – but the notice makes clear that neither of these is “an absolute right”.
“Public Health England may need to continue to use your information,” it said. “We will tell you why if this is the case.”
Although 20 years may seem like a long time for data to be retained – particularly in support of a comparatively short-term scheme such as this – lengthy data-storage periods are not uncommon across the health service.
“Information needs to be kept for this long because Covid-19 is a new disease and it may be necessary… to help control any future outbreaks or to provide any new treatments”
The Records Management Code of Practice implemented by the government in 2016 outlines that, for example, care providers should keep mental health records for 20 years after a patient’s discharge, while information on long-term or recurring conditions is held for 30 years after treatment has ended. Blood bank records are kept for a minimum of 30 years after their creation.
The exemption given by Hancock for data to be used without individuals’ consent comes after the health secretary last month issued a six-month order instructing health-service organisations that, in supporting government’s coronavirus response, they are “required to process confidential information” in ways that might ordinarily be restricted.
In a series of emergency notifications, all national and local NHS entities, arm’s-length government bodies, and local authorities were informed that they can, effectively, share any patient data with any relevant organisation, providing the purpose of doing so is solely related to coronavirus research or response. They may also be directly instructed by government to engage in such sharing.
The order was issued with an end date of 30 September – although this could be extended if Hancock issues an explicit order to do so.