Protective monitoring service for coronavirus NHS Test and Trace: transparency notice

To manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19), the government are rolling out NHS Test and Trace, a  service which includes testing people for coronavirus, tracking the spread of the virus and tracing the people an infected person has come into contact with using both digital technology (the NHS Covid-19 App) and using manual contact tracing methods.

As part of the NHS Test and Trace programme (TT), NHS Digital’s Data Security Centre (DSC) is providing protective monitoring services to provide cyber security and resilience to the underlying infrastructure and operations that support the TT programme.

The Department of Health and Social Care (DHSC) is the controller of the personal data processed by the TT programme under the General Data Protection Regulation 2016 (GDPR).

NHS Digital is a processor on behalf of the DHSC for the collection and analysis of the data to provide the protective monitoring service. 

DHSC’s legal basis for processing personal data to operate the TT programme is:

• GDPR Article 6(1)(e) - the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service.

DHSC’s legal basis for processing personal data related to health (special category data) is:

• GDPR Article 9(2)(g) – substantial public interest and DPA 2018 - Schedule 1, Part 2, para 6 (Statutory and government purposes)
• GDPR Article 9(2)(h) – health or social care purposes and DPA 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes
• GDPR Article 9(2)(i) – public health purposes and DPA 2018 - Schedule 1, Part 1, para 3 (Public health)

NHS Digital’s protective monitoring service will monitor system, network and event data from the systems operated by DHSC’s TT programme to identify, investigate, defend and respond to cyber security threats. The types of personal data processed include:

• IP addresses
• machine identifiers of the solution infrastructure (but not of the public subscriber)
• email addresses
• error/event logs which may include personal and special category data

From system, network and event logs from DHSC’s systems which operate the TT programme.

NHS Digital’s use of the data is restricted to the investigation and closure of cyber security incidents. We will only share personal data at the instruction of DHSC, the Controller.

Most system, network and event data will be held for up to 180 days for protective monitoring purposes. Where the data is required to be retained for longer, this will be at the instruction of DHSC, the Controller.

NHS Digital only stores and processes your personal data within the UK.

Under data protection law, you have a number of rights including:

• the right to be informed about how your data is being processed

• the right to access what data is held about you

• the right to have inaccurate data rectified

• the right to restrict the processing

• the right to object to the processing

Any rights requests received by NHS Digital will be handled in agreement with DHSC who are the Controller.

You also have the right to complain to the Information Commissioners Office if you are unhappy with how your personal data is processed.

We may make changes to this transparency notice. If we do, the ‘last updated’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change.

See more information on how the DSC is supporting health and care during the coronavirus pandemic.