COVID-19 Collection of Personal Data - Privacy Notice

This section of the Privacy Notice relates to personal data being collected from visitors, staff and students providing their contact details as part of the COVID-19 Test and Protect programme. It should be read in conjunction with the overall Privacy Notice.

For the health and safety of the visitors, staff and students in these premises, we are recording the name and contact details of everyone who enters to support NHS Scotland’s efforts in tackling COVID-19. This information will be used to enable NHS Scotland and statutory partners to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread.  We are also asking staff and students to notify the University if they have tested positive or have COVID-19 symptoms.

The University will also be processing basic details of individuals attending the on-campus testing centre for asymptomatic testing in order to facilitate appointment management. This will be done via Eventbrite. Details of the Eventbrite Privacy Policy can be found on their website.

1. Why do we need to collect this data?

As stated above, the purpose for which we are processing your personal data is to assist with NHS Scotland’s efforts in tackling the coronavirus public health epidemic. This will involve the gathering and, when necessary, the sharing of information with NHS Scotland and statutory partners. Your data will not be used for any other purpose.

In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland and statutory partners.  This will only be in the unlikely event there is a cluster of coronavirus cases linked to the premises.

For further information on the NHS Scotland Test and Protect strategy please visit the NHS website.[1]

Personal information collected to manage appointments at the testing centre will not be shared with NHS Scotland. 

2. What data will we collect?

Along with the date and time of your arrival and departure, we will collect the following personal data if applicable:

  • your name; and
  • contact telephone number.

If you do not have a telephone number, you have the option to provide:

  • a postal address; or
  • an email address.

For staff and students who have tested positive or have COVID-19 symptoms we will also ask for details of when you were last on campus, where you have visited and if you are in University or private accommodation.

For individuals making appointments at the testing centre, in addition to your name and contact details we will also collect your student number.

3. What is our lawful basis for collecting this data?

Under data protection law, GDPR Article 6(1), we have a number of lawful bases that allow us to collect and process personal information. In the case of collecting your personal details for the purposes detailed above, the lawful basis for processing your data will be one of the following:

  • For compliance with a legal obligation to which the University is subject (H&S legislation) (GDPR Article 6(1)(c)).
  • For the performance of a task carried out in the public interest (GDPR Article 6(1)(e)).
  • For the purposes of the legitimate interests pursued by the University (GDPR Article 6(1)(f)).

Broadly speaking this means that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests.

Our legitimate reason for processing your data is to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic.

Before sharing any information we will carefully consider and balance any potential impact on you and your rights.

When we are collecting health information (special category data) from you the appropriate lawful basis will be that the processing is necessary:

  • For the purpose of carrying out the obligations and exercising specific rights of the University or of individual data subjects in the field of employment and social secuirty and social protection law (GDPR Article 9(2)(b) and Data Protection Act 2018 Schedule 1 Part 1, s1(1)(a)).
  • For reasons of substantial public interest (GDPR Article 9(2)(g) and Data Protection Act 2018 Schedule 1 Part 2, s18).
  • For reasons of public interest in the area of public health (GDPR Article 9(2)(i)).

4. How long will we retain the data?

Your personal data will be retained only for the purposes stated in this privacy notice and will be held by us for no more than 3 weeks (21 days).

All personal data will be held and disposed of in a safe and secure manner.

5. Your rights

As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:

  • The right to be informed about the collection and use of your personal data. This is outlined above.
  • The right to erasure. If at any point within the 21 days after your visit you decide you’d like us to delete the personal data you provided, please advise us and we will delete all information related to you.
  • The right to object to us processing your personal data. If you do so, we will delete all the personal data we hold in relation to you.
  • The right to rectification. If the information held is in any way incorrect, you can contact the data controller and request that the information be rectified.

In certain circumstances exemptions to these rights may apply.  Further information is available on the Information Commissioner’s Office website.[2]

6. Do you have a complaint?

If you have any further questions these should be directed in the first instance to a manager in the area of the University that collected your data.

If you have any issues about this statement or the way the University has handled your personal data please see the ‘Contact details and further information’ section of the overall Privacy Notice.