Home chevron_right Data protection and privacy chevron_right Privacy notices chevron_right Privacy notice - NHS Test and Trace support

Privacy notice - NHS Test and Trace support

Who are we and what do we do?


Middlesbrough Council supports the NHS Test and Trace Service to track and help prevent the spread of COVID-19.

What type of personal data do we collect and how do we collect it?


We receive personal data from NHS Test and Trace including name, NHS number, NHS Test and Trace Account ID, telephone number(s), email address, postal address, employer, settings visited disclosed, date and time that the individual entered relevant settings. We also receive special category data in the form of health information specifically where a person has a positive test result for COVID-19. We match this information with existing council tax and benefits records to gather up to date contact information only.

How the Law allows us to use your personal data


We use personal data where we have a ‘legal obligation’ to do so or where we are exercising a ‘public task’ power. We use special category data where it is ‘necessary for reasons of public interest in the area of public health’. Some of the laws that require or permit us to use this data are:

  • Coronavirus (COVID-19): notice under regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 – general;
  • The Health Protection (Coronavirus, Collection of Contact Details etc. and Related Requirements) Regulations 2020; and
  • The National Health Service Act 2006.

What is your personal data used for?


We use personal data to contact people who have tested positive for COVID-19, to advise them to self-isolate, to understand their activities before accessing testing, including workplace, travel, household situation and any relevant places that they have visited, and to identify any close contacts, in order to prevent further transmission and protect the public.

Will your personal data be shared?


We share some data with NHS Test and Trace about our progress on engaging with individuals and tracing their contacts. We only share personal data, where necessary, with organisations to support the COVID-19 test and trace purpose.

How do we keep your personal data secure?


Personal data is received and shared through an NHS secure web portal. Where data is held locally it is kept in secure, access restricted electronic storage. All staff undergo vetting and training and are required to follow our information security policy. All data is encrypted during transit and when stored locally.

How long will we keep your personal data?


We are required to hold this personal data until 31 March 2021 unless extended by the Secretary of State for Health and Social Care.

Is your personal data processed overseas?


No personal data is transfer outside of the United Kingdom.



We use personal data to contact you for NHS Test and Trace purposes. We will never use it for direct marketing purposes.

What are your information rights?


Your Information Rights are set out in law and, subject to some exceptions, you have the:

  • Right to rectification - to ask for information to be corrected
  • Right to erasure - to have your personal data deleted
  • Right to object - to how your data is used
  • Right to restriction - to request limits on how your data is used
  • Right to portability - to request that we move your data to another organisation
  • Right of subject access - to request a copy of data the Council holds about you

Making a complaint


If you have a concerns about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner's Office. Visit the website of the Information Commissioner's Office.



If you would like to discuss anything in this privacy notice or your information rights, please contact:

The Data Protection Officer
Middlesbrough Council
PO Box 500, Middlesbrough, TS1 9FT
Phone: 01642 245432
Email: dataprotection@middlesbrough.gov.uk