Test and Trace Support Scheme - Self-Isolation Payment

On 28th September 2020, the Government passed into law a national Test and Trace Support scheme. From 12th October, a one-off payment of £500 or access to a discretionary fund will be available for eligible individuals. More information about this scheme can be found on the .gov website [external link].

If you apply, we will need to process your personal data to assess whether you are eligible to receive financial support, and if so, to provide a payment to you. This Privacy Notice sets out what personal data we will use, how we will use it, and why we need to, when an applicant applies for this support.

Data Controller

The Department of Health and Social Care (DHSC) has commissioned NHS Test and Trace on behalf of the government and is the data controller for the purposes of providing Test and Trace data to Darlington Borough Council.

Darlington Borough Council are the data controller for the purposes of assessing eligibility, administering and making payments under the Test and Trace Support scheme.

New package to support self-isolation

If you have been told by the NHS to self-isolate, either because you have tested positive for COVID-19 or you have been in contact with someone who has tested positive, you may be entitled to some financial support during your self-isolation period.

What are Self-Isolation Payments?

People who are eligible will receive

A £500 one-off Test and Trace Support payment or provision from the discretionary fund to remain at home to help stop the spread of the virus.

Categories of personal data we collect and process

We collect and process the personal data that you provide to us when completing your application for a self-isolation support payment, which may include:

  • Full name;
  • Full residential address;
  • Email address;
  • Mobile telephone number;
  • Home telephone number;
  • Proxy applicant details (as above where you may nominate someone else to complete this application on your behalf);
  • Employer name and address;
  • NHS notification number (the unique reference you will be given by NHS Test and Trace Service to self-isolate);
  • Bank account details;
  • Your National Insurance Number;
  • Proof of self-employment e.g. recent business bank statement (within the last two months), most recent set of accounts or evidence of self-assessment

Source and categories of personal data

We will obtain data from the NHS Test and Trace Service to confirm that you have either tested positive for COVID-19 or you have been in close contact with someone who has tested positive for COVID-19. As this data is related to your health it is referred to as ‘special category data’.

You or your nominated representative will also provide us with additional personal data in relation to your application for a Self-Isolation Payment.

What we use your personal data for

We will carry out checks with the NHS Test and Trace Service and the Department for Work and Pensions (DWP), for verification purposes, Her Majesty’s Revenue and Customs (HMRC), for tax and National Insurance purposes, and potentially with your employer in validating your application. 

Information relating to your application will also be sent to the DHSC to help understand public health implications, allow us to carry out anti-fraud checks and determine how well the scheme is performing.

We will not share this data with other organisations or individuals outside of Darlington Borough Council for any other purpose.

We will provide information to HMRC in relation to any payments we make because Self-Isolation Payments are subject to tax and National Insurance contributions. If you are self-employed, you will need to declare the payment on your self-assessment tax return.

Our lawful basis for processing the personal data

We must have a legal basis to process your personal data. Our lawful basis in the processing that we’ll undertake in assessing your eligibility for, and in making any self-isolation payment to you, is based on a legal obligation.

Where we use personal information to confirm that someone is eligible for a self-isolation payment, the sections of the law that apply are:

  • GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare;
  • Data Protection Act 2018 Schedule 1 Part 1 (2) - health or social care purposes
    Separately, we have special permission from the Secretary of State for Health and Social Care to use confidential patient information without people’s consent for the purposes of diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases and other risks to public health.

This is known as a ‘section 251’ approval and includes, for example, using your test results if you test positive for COVID-19 to start the contact-tracing process.

The part of the law that applies here is section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.

You can find more information on this via the NHS Contact Tracing Privacy Notice here.

Data Processors and other recipients of your data

These are the recipients with which your personal data is shared:

  • Her Majesty’s Revenue and Customs (HMRC) for tax and National insurance purposes;
  • Your employer for verification checks purposes.
  • Victoria Forms, out e-form provider.

Personal data disposal and retention

We will only keep your personal data for as long as it is needed for the purposes of the COVID-19 emergency, and for audit and payment purposes.

Security

We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. Including encryption of personal data on mobile devices, compliance with ISO27001 and PSN. Confidentiality and integrity is also maintained via access controls and staff training/policies and procedures.