In this Privacy Notice, we describe how your Personal Data will be collected, used and shared in connection with Testing For All’s project involving the distribution of certain kits to test for SARS-CoV-2 (the “COVID-19 Project”). For clarity, in this Privacy Notice, “SARS-CoV-2” refers to the virus that causes the COVID-19 disease.
Who is responsible for the handling of my Personal Data?
Testing For All is the Controller (for the purposes of the General Data Protection Regulation (“GDPR”)) of your Personal Data. Testing For All is a company limited by guarantee registered in England and Wales under company number 12570433 with its registered address at 13 Hawley Crescent, London, England, NW1 8NP.
What types of Personal Data will be collected and processed in connection with the COVID-19 Project?
If you become part of the COVID-19 Project, Testing For All will collect and process Personal Data about you, which may include:
- Your full name, date of birth, sex, full home address including postcode;
- Your NHS Number;
- Email address and mobile phone number;
- Your history of symptoms associated with the virus SARS-CoV-2 and related COVID-19 disease;
- Whether you tested positive for SARS-CoV-2 and/or COVID-19 and if so, where and when;
- Sample (i.e. any fluid, such as blood);
- Sample ID; and
- Laboratory test result.
For arrivals from countries classified by the UK government as red, amber or green, and for travel testing such as fit to fly and test to release Testing For All may collect additional Personal data:
- Passport number and transport vessel number;
- Recent travel history including the countries visited.
If you become part of a usability study or clinical trial, Testing For All may collect and process additional Personal Data about you, which may include:
- Demographic information such as your education level and ethnicity.
- We may provide additional or supplemental privacy notices to you in respect of any such studies or trials. These supplemental privacy notices will govern how we may process the information in the context of that study or trial.
For what purposes will Testing For All process my Personal Data and on what legal basis?
Testing For All will process your Personal Data for the following purposes:
- to distribute self-tests and/or sampling kits to you to enable you to get tested for viral RNA and/or antigens of SARS-CoV-2, and/or antibodies against SARS-CoV-2 and to send you the result of your test;
- for planning effective testing strategies and testing protocols – for example, to determine the correct test that you should take (e.g. you may need to be given a different test depending on when you think you were infected with the virus);
- to comply with any legal requirements; and
- to enable the NHS and/or Public Health England to undertake resource planning and public health monitoring and statistical analysis (including to measure the public’s antibody and viral presence over time), and to inform its responses to the COVID-19 pandemic.
The legal bases under the GDPR for Testing For All’s collection and processing of your Personal Data in connection with the Covid 19 Project is:
- In respect of processing activities which are derived from legal obligations to which Testing For All is subject: compliance with a legal obligation under Article 6(1)(c) of the GDPR and, where this Personal Data is special category data (e.g. your health data and your ethnicity), we do so because this is necessary for reasons of public interest in the area of public health under Article 9(2)(i) of the GDPR;
- In respect of processing activities which are carried out to enable the NHS and/or Public Health England to undertake resource planning and public health monitoring and statistical analysis, and to inform its responses to the COVID-19 pandemic, we do so we do so because this is necessary for the performance of a task carried out in the public interest under Article 6(1)(e) of the GDPR and, where we process your Personal Data which is special category data (e.g. your health data and your ethnicity), we do so because this is necessary for reasons of public interest in the area of public health under Article 9(2)(i) of the GDPR or for scientific research purposes in the public interest under Article 9(2)(j) of the GDPR; and
- In all other cases: we do so because this is necessary for the purposes of legitimate interests pursued by us under Article 6(1)(f) of the GDPR (including to plan effective testing strategies and testing protocols) and, where we process your Personal Data which is special category data (e.g. your health data and your ethnicity), we do so because this is necessary for scientific research purposes in the public interest under Article 9(2)(j) of the GDPR.
With whom does Testing For All share my Personal Data?
Whenever possible, when your Personal Data is shared with third parties, your identity will be protected in accordance with accepted industry standards and applicable laws. Testing For All never sells your Personal Data to third parties.
Testing For All may share your Personal Data with the following third parties:
- Lab partners or other collaborators to which it may be necessary to disclose your Personal Data, including the London Medical Laboratory Ltd and Acculabs Diagnostics and other laboratories listed at testingforall.org/laboratories. This is done to enable your COVID-19 saliva PCR or antibody test to be completed;
- With Care Quality Commission registered organizations contracted by Testing For All to provide nursing or phlebotomy services to enable sample collection for testing;
- With representatives of the NHS, Public Health England or other national and foreign regulatory authorities; and/or
- With Public Health England’s Test & Trace program in the event of a positive viral presence test (PCR, point of care or other), and/or viral antigen or PCR sample result
- With third party companies that provide services to us (such as data hosting, customer relationship management, email delivery, marketing, fulfilment and payment processing services). These third parties may use your personal information only as directed or authorized by us and in a manner consistent with this privacy notice, and are prohibited from using or disclosing your information for any other purpose.
Where will my Personal Data be maintained?
Your Personal Data will be maintained by Testing For All on the Google Cloud Platform in Europe-west1 and Europe-west2 and Amazon Web Services: Europe (London) Region.
As outlined above, we may also share your Personal Data with third parties who may be based outside the European Economic Area (“Europe”). Any processing of your Personal Data by such third parties will therefore involve a transfer of your Personal Data outside of Europe. Where this occurs, we ensure that a similar degree of protection is afforded to your Personal Data by implementing at least one of the following safeguards:
- we may transfer your Personal Data to third parties based in countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries.
- we may enter into contracts with third parties which have been approved by the European Commission, and which contractually oblige such third parties to give Personal Data an equivalent level of protection as the protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of Personal Data to third countries.
- where we transfer Personal Data to third parties based in the U.S., we may do so on the basis of the contracts described above or if they are part of the EU-U.S. Privacy Shield, which requires such third parties to provide an equivalent level of protection to Personal Data as the protection it has in Europe. For further details, see European Commission: EU-U.S. Privacy Shield.
How will my Personal Data be protected?
Testing For All takes technical measures that are designed to protect your Personal Data from unauthorized access and use; for example, your Personal Data is stored in the Google Cloud Platform and Amazon Web Services and is encrypted using one or more layers of encryption. Where available Testing For All staff use multi-factor authentication provided by Google Cloud and Amazon Web Services to provide additional security to access Personal Data.
What are my rights with regards to my Personal Data?
The GDPR gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- Please note that some of these rights do not apply when Personal Data is being used for research purposes, but we will always try to respond to concerns or queries that you may have.
How long will my Personal Data be retained?
Your Personal Data will not be kept for longer than is necessary, as stated in this Privacy Notice, and will be retained in an anonymized format wherever possible. When your Personal Data will no longer be necessary for the purpose of responding to the COVID-19 pandemic, it will only be retained to the extent that this is required under applicable legislation and will otherwise be deleted.
How do I submit questions or concerns?
If you have questions about how your Personal Data is handled in connection with the COVID-19 Project, please refer them to Testing For All at the contact details listed below.
If your concern cannot be resolved, you may submit a complaint to the UK Information Commissioner’s Office.
Testing For All’s Data Protection Officer can be reached by sending an email to firstname.lastname@example.org.
Updated 30 May 2021