We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Our purposes for processing personal data
To manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19), the government are rolling out NHS Test and Trace, a service which includes testing people for coronavirus, tracking the spread of the virus and tracing the people an infected person has come into contact with using both digital technology (the NHS Covid-19 App) and using manual contact tracing methods.
As part of the NHS Test and Trace programme (TT), NHS Digital’s Data Security Centre (DSC) is providing protective monitoring services to provide cyber security and resilience to the underlying infrastructure and operations that support the TT programme.
Legal basis for processing personal data
The Department of Health and Social Care (DHSC) is the controller of the personal data processed by the TT programme under the General Data Protection Regulation 2016 (GDPR).
NHS Digital is a processor on behalf of the DHSC for the collection and analysis of the data to provide the protective monitoring service.
DHSC’s legal basis for processing personal data to operate the TT programme is:
- GDPR Article 6(1)(e) - the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service.
DHSC’s legal basis for processing personal data related to health (special category data) is:
- GDPR Article 9(2)(g) – substantial public interest and DPA 2018 - Schedule 1, Part 2, para 6 (Statutory and government purposes)
- GDPR Article 9(2)(h) – health or social care purposes and DPA 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes
- GDPR Article 9(2)(i) – public health purposes and DPA 2018 - Schedule 1, Part 1, para 3 (Public health)
Types of personal data we process
NHS Digital’s protective monitoring service will monitor system, network and event data from the systems operated by DHSC’s TT programme to identify, investigate, defend and respond to cyber security threats. The types of personal data processed include:
- IP addresses
- machine identifiers of the solution infrastructure (but not of the public subscriber)
- email addresses
- error/event logs which may include personal and special category data
How we obtain your personal data
From system, network and event logs from DHSC’s systems which operate the TT programme.
How long we keep your personal data for
Most system, network and event data will be held for up to 180 days for protective monitoring purposes. Where the data is required to be retained for longer, this will be at the instruction of DHSC, the Controller.
Where we store the data
NHS Digital only stores and processes your personal data within the UK.
Your rights over your personal data
Under data protection law, you have a number of rights including:
the right to be informed about how your data is being processed
the right to access what data is held about you
the right to have inaccurate data rectified
the right to restrict the processing
the right to object to the processing
Any rights requests received by NHS Digital will be handled in agreement with DHSC who are the Controller.
You also have the right to complain to the Information Commissioners Office if you are unhappy with how your personal data is processed.
Changes to this notice
We may make changes to this transparency notice. If we do, the ‘last updated’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change.