London Borough of Croydon

On 28 September 2020, the government passed into law a national Test and Trace Support scheme. From 12 October, a one-off payment of £500 or access to a discretionary fund will be available for eligible individuals. More information about this scheme can be found on GOV.UK.

If you apply, we will need to process your personal data to assess whether you are eligible to receive financial support, and if so, to provide a payment to you.  This Privacy Notice sets out what personal data we will use, how we will use it, and why we need to, when an applicant applies for this support.

Data Controller

The Department of Health and Social Care (DHSC) has commissioned NHS Test and Trace on behalf of the government and is the data controller for the purposes of providing Test and Trace data to Croydon Council.

Croydon Council is the data controller for the purposes of assessing eligibility, administering and making payments under the Test and Trace Support scheme.

New package to support self-isolation 

If you have been told by the NHS to self-isolate, either because you have tested positive for COVID-19 or you have been in contact with someone who has tested positive, you may be entitled to some financial support during your self-isolation period.

What are Self-Isolation Payments?

People who are eligible will receive:

A £500 one-off Test and Trace Support payment or provision from the discretionary fund to remain at home to help stop the spread of the virus.

Categories of personal data we collect and process

We collect and process the personal data that you provide to us when completing your application for a self-isolation support payment, which may include:

  • Full name
  • Full residential address
  • Email address
  • Mobile telephone number
  • Home telephone number
  • Proxy applicant details (as above where you may nominate someone else to complete this application on your behalf)
  • Employer name and address
  • NHS notification number (the unique reference you will be given by NHS Test and Trace Service to self-isolate) 
  • Bank account details
  • Your National Insurance Number
  • Proof of self-employment e.g. recent business bank statement (within the last two months), most recent set of accounts or evidence of self-assessment

Source and categories of personal data

We will obtain data from the NHS Test and Trace Service to confirm that you have either tested positive for COVID-19 or you have been in close contact with someone who has tested positive for COVID-19.  As this data is related to your health it is referred to as ‘special category data’.

You or your nominated representative will also provide us with additional personal data in relation to your application for a Self-Isolation Payment.

What we use your personal data for 

We will carry out checks with the NHS Test and Trace Service and the Department for Work and Pensions (DWP), for verification purposes, Her Majesty’s Revenue and Customs (HMRC), for tax and National Insurance purposes, and potentially with your employer in validating your application.  

Information relating to your application will also be sent to the DHSC to help understand public health implications, allow us to carry out anti-fraud checks and determine how well the scheme is performing. 

We will not share this data with other organisations or individuals outside of London Borough of Croydon for any other purpose.

We will provide information to HMRC in relation to any payments we make because Self-Isolation Payments are subject to tax and National Insurance contributions. If you are self-employed, you will need to declare the payment on your self-assessment tax return.

Our lawful basis for processing the personal data

We must have a legal basis to process your personal data. Our lawful basis in the processing that we’ll undertake in assessing your eligibility for, and in making any self-isolation payment to you, is based on a legal obligation. 

Where we use personal information to confirm that someone is eligible for a self-isolation payment, the sections of the law that apply are:

  • GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare;
  • Data Protection Act 2018 Schedule 1 Part 1 (2) - health or social care purposes

Separately, we have special permission from the Secretary of State for Health and Social Care to use confidential patient information without people’s consent for the purposes of diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases and other risks to public health. 

This is known as a ‘section 251’ approval and includes, for example, using your test results if you test positive for COVID-19 to start the contact-tracing process. 

The part of the law that applies here is section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.

You can find more information on this via the NHS Contact Tracing Privacy Notice.

Data Processors and other recipients of your data

These are the recipients with which your personal data is shared:

  • Her Majesty’s Revenue and Customs (HMRC) for tax and National insurance purposes
  • Your employer for verification checks purposes
  • International Data Transfers and Storage

Croydon Council does not transfer personal data relating to Test and Trace Support Payments outside the UK, EEA or to third countries. All personal data is stored within the UK.

Personal data disposal and retention

We will only keep your personal data for as long as it is needed for the purposes of the COVID-19 emergency, and for audit and payment purposes.

Cookies

Cookies are small text files that are placed on your browser. See how we use cookies.

Your rights as a data subject

By law, you have a number of rights as a data subject and this does not take away or reduce these rights. Your rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.

All information is processed in accordance with Croydon Council data protection policy.

These rights are:

  1. Your right to get copies of your information – you have the right to ask for a copy of any information about you that is used.
  2. Your right to get your information corrected – you have the right to ask for any information held about you that you think is inaccurate, to be corrected
  3. Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
  4. Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
  5. Your right to get information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you are unhappy or wish to complain about how your personal data is used as part of this programme, you should contact London Borough of Croydon in the first instance, 

If you are still not satisfied, you can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk and their postal address is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Security

We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level.

Data Protection Officer

The Council has appointed a Data Protection Officer (DPO). Their role is to inform and advise the Council of its obligations under data protection legislation and to monitor the Council’s compliance. The Data Protection Officer also acts as the single point of contact for the Information Commissioner’s Office (ICO) and provides advice and assistance on Data Protection Impact Assessments.

The DPO is Sandra Herbert (Head of Litigation and Corporate Law and deputy Monitoring Officer) and can be contacted at dpo@croydon.gov.uk.

Automated decision making or profiling

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you. 

Changes to our policy

We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on our website. This privacy notice was last updated on 12 October 2020.