Skip to main content

Protective monitoring service for coronavirus NHS Test and Trace: transparency notice

As part of the NHS Test and Trace programme (TT), NHS Digital’s Data Security Centre (DSC) is providing protective monitoring services to provide cyber security and resilience to the underlying infrastructure and operations that support the TT programme.

Our purposes for processing personal data

To manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19), the government are rolling out NHS Test and Trace, a  service which includes testing people for coronavirus, tracking the spread of the virus and tracing the people an infected person has come into contact with using both digital technology (the NHS Covid-19 App) and using manual contact tracing methods.

As part of the NHS Test and Trace programme (TT), NHS Digital’s Data Security Centre (DSC) is providing protective monitoring services to provide cyber security and resilience to the underlying infrastructure and operations that support the TT programme.

Legal basis for processing personal data

The Department of Health and Social Care (DHSC) is the controller of the personal data processed by the TT programme under the General Data Protection Regulation 2016 (GDPR).

NHS Digital is a processor on behalf of the DHSC for the collection and analysis of the data to provide the protective monitoring service. 

DHSC’s legal basis for processing personal data to operate the TT programme is:

  • GDPR Article 6(1)(e) - the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service.

DHSC’s legal basis for processing personal data related to health (special category data) is:

  • GDPR Article 9(2)(g) – substantial public interest and DPA 2018 - Schedule 1, Part 2, para 6 (Statutory and government purposes)
  • GDPR Article 9(2)(h) – health or social care purposes and DPA 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes
  • GDPR Article 9(2)(i) – public health purposes and DPA 2018 - Schedule 1, Part 1, para 3 (Public health)

Types of personal data we process

NHS Digital’s protective monitoring service will monitor system, network and event data from the systems operated by DHSC’s TT programme to identify, investigate, defend and respond to cyber security threats. The types of personal data processed include:

  • IP addresses
  • machine identifiers of the solution infrastructure (but not of the public subscriber)
  • email addresses
  • error/event logs which may include personal and special category data

How we obtain your personal data

From system, network and event logs from DHSC’s systems which operate the TT programme.

Who we share your personal data with

NHS Digital’s use of the data is restricted to the investigation and closure of cyber security incidents. We will only share personal data at the instruction of DHSC, the Controller.

How long we keep your personal data for

Most system, network and event data will be held for up to 180 days for protective monitoring purposes. Where the data is required to be retained for longer, this will be at the instruction of DHSC, the Controller.

Where we store the data

NHS Digital only stores and processes your personal data within the UK.

Your rights over your personal data

Under data protection law, you have a number of rights including:

  • the right to be informed about how your data is being processed

  • the right to access what data is held about you

  • the right to have inaccurate data rectified

  • the right to restrict the processing

  • the right to object to the processing

Any rights requests received by NHS Digital will be handled in agreement with DHSC who are the Controller.

You also have the right to complain to the Information Commissioners Office if you are unhappy with how your personal data is processed.

Changes to this notice

We may make changes to this transparency notice. If we do, the ‘last updated’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change.

Further information

Last edited: 29 May 2020 9:17 am