Local Contact Tracing Service Privacy Notice

Contact details of the Data Protection Officer


What Personal Data is held?

All cases passed from PHE to the LCTS will have been individuals who have had a positive Covid-19 test result.

Data received from PHE and used for LCT comprises:

  • Name
  • Postcode
  • Whether resident in a Care Home
  • Telephone No.
  • D.O.B/Age
  • Gender
  • Ethnicity

Data collected from interviews with contacts and entered into the PHE CTAS computer system may comprise:

  • Symptoms
  • Date of first symptoms
  • Support needs
  • Name and address information
  • Household contacts
    • Resident or visitor
    • Whether over 18
    • Email address
    • Phone number
    • Direct or close contact
  • Workplace/Educational institution Information
  • Place of work
    • Job title
    • Address
    • Postcode
    • Date last attended
    • Contacts – name/surname/phone/email
  • Activities outside the house
    • Activities attended in 7 days before symptoms
    • Nature and details of activity
    • When activity took place

Transactional data and activity logging:

  • Outbound call attempts, time, duration, number called
  • Outcome of calls
  • Customer feedback on national and local service provision

How will the data be stored?

In secure electronic management database systems, spreadsheets stored on internal secure folders and accessed on secure encrypted laptops. All data is stored on secure servers.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

What is the legal basis for the collection, use and storage of the data?

We rely on the following as the lawful bases on which we collect and use your personal data:

Reading Borough Council will introduce a locally enhanced local contact tracing service (“LCTS”) to contact people in the borough who have tested positive for COVID-19 but who have not been reached by the National Test and Trace Service (Tier 3 and 2) over a maximum of a 48-hour period (this time is determined by the outcome of the national team – for example if the number is unobtainable, it is like that they would refer immediately to the local team for action).

This will ensure anyone that has tested positive for COVID-19 but where the NTATS has not been successful in making contact is followed up by the Local Authority. The purpose is to maximise the number of positive cases that are contacted and obtain details of the Covid positive person’s own contacts which can then be passed back to the NTATS for follow up. 

Personal data will be processed in accordance with GDPR 1018 Article 6(1)(e) Public task and special category data to be processed in accordance with GDPR 2018 Article 9(2)(i) Public Interest in the area of public health.

National Health Service Act 2006: s2B(1) Each local authority must take such steps as it considers appropriate for improving the health of the people in its area. Regulations made under Section 6C of the NHS Act 2006 require local authorities to take particular steps in exercise of their public health functions, or aspects of the Secretary of State’s public health functions.

Part 2 of the Local Authorities (Public Health Functions and Entry to Premises by Local Healthwatch Representatives) Regulations 2013 (SI 2013/351) makes provision for the steps to be taken by local authorities in exercising their public health functions. In particular, Regulation 8 imposes a duty on local authorities to provide information and advice to certain persons and bodies within their area in order to promote the preparation of, or participation in, health protection arrangements against threats to the health of the local population, including infectious disease, environmental hazards and extreme weather events.

Under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) the Secretary of State for Health and Social Care requires the council to process confidential patient information in the manner set out for purposes set out in Regulation 3(1) of COPI. This notice currently runs to end March 2021.

A data sharing agreement between PHE and the Berkshire council’s as Public Health Berkshire dated 11th September 2020 and sets out the basis of data sharing necessary to fulfil the parties responsibilities to take action to manage and mitigate the spread and impact of the current outbreak of Covid-19.

Give details of how long the data will be stored and criteria used to determine this?
Some of the information being used will already be held by us and will be kept in line with our retention schedules and data sharing agreement with PHE.

However, we will be collecting new information as a result of the response to the pandemic. We will not keep this information for any longer than necessary. We do not yet know how long the pandemic will continue for, so the requirement to keep this information will be kept under review.

Who will it be shared with and for what purpose?

Data collected will be entered onto the national CTAS system and shared with the National Track and Trace Service to enable them to follow up and contact people identified as having been in contact with the individuals who have tested positive for Covid-19 and provide advice to protect them and the wider community.

Information entered into CTAS will be viewed by PHE the local PH service and may be utilised to produce local and national statistics and inform any further actions needed to combat the spread of COVID-19.

We may be required to share information with other statutory bodies or internal services within the Council to full fill our statutory obligations.

How can the service user get access to it?

Subject Access Request can be made by following the link: www.reading.gov.uk/dataprotection

State whether any data is to be transferred outside the EU?


Is processing based on consent?

You have a ‘right to be forgotten’ so you can ask for your personal information to be deleted where:

  • It is no longer needed for the reason why it was collected in the first place
  • You have removed your consent for us to use your information and we do not have to keep your information for legal reasons

If we have shared your personal information with others, we will do what we can to make sure those using your personal information comply with your request for erasure.
We may not be able to delete your personal data if it is needed for legal reasons, for reasons of public health, public interest or for medical purposes.

What other rights does the service user have that we have to make known to them?

The right to have their data corrected, the right to have their data deleted and their right to put a complaint to the Information Commissioner’s Office (ICO)

State if there will be any automated decision making


Last updated on 21/02/2021