This Privacy Notice sets out how the Greater Manchester Combined Authority (GMCA) will use information in its response to the coronavirus pandemic, including tracing and contacting people who have come into contact with persons who have tested positive for COVID-19 in the Greater Manchester area.
We are committed to protecting your personal data and ensuring that it is processed fairly and lawfully. Information you provide to us will be processed in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018) and subsequent legislation.
Such information will be limited to what is legal, proportionate and necessary, taking into account the latest guidance issued by the Government and health professionals, in order to provide the necessary support to those most vulnerable and in need and also to manage and contain the virus.
A lot of what we will do with your personal data will be covered by existing powers in current laws and you can find out more information about how we process your information on our website.
What information do we collect and why?
As a combined authority, we receive information from all ten of the local authorities based in Greater Manchester, as well as data directly from Public Health England (PHE) in order to effectively measure the health, mortality, or care needs of the region. We can use this data to anaylse the spread of the coronavirus which will allow us to plan, evaluate or monitor public health programmes, in order to protect and improve public health and wellbeing.
The data received falls into two categories:
a) Test Data – This is data that we will receive from Public Health England relating to all ten Local Authorities and its purpose is to identify and manage outbreaks across the Greater Manchester region. This data will be pseudonymised which means there will be no information that can directly identify any individuals’ e.g. full names, contact details etc. Rather it will be data that will allow us to see the number of cases per postcode for example, or how many cases have been identified in total over the last 24 hours.
b) Contact tracing data – This data will be coming from both Public Health England and the ten Local Authorities. It is slightly different from the test data mentioned above, in that it will be Personal Identifiable Information, i.e. relating to positive cases which are complex or from complex settings. This means it will contain information that directly identifies individuals and it will be used to provide direct support to those whom are finding it difficult to adhere to self-isolation measures. It may also be used for consequence management as a result of an outbreak in a complex setting, or providing prevention/proactive infection control advice and guidance.
The data items collected for contact tracing can include individuals’ details such as:
- Full name
- Date of birth
- NHS number
- Home postcode and house number
- Telephone number and email address
- COVID-19 symptoms, including when they started and their nature
How long the information is kept for?
The information collected through Contact Tracing will be retained in line with national guidance and legal requirements as instructed. As the COVID-19 situation is changing on an almost daily basis, it is difficult to stipulate a definite retention period at this time.
This information may need to be retained because COVID-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.
Legal basis for processing
The GMCA will enter into an MOU (Memorandum of Understanding) with the ten Greater Manchester Local Authorities (GM LA’s) which will allow us to run concurrent powers relating to the duties placed on the GM LA’s in executing their public health functions initially for the purposes of COVID-19. This also enables Public Health England to recognise the GMCA as a Data Controller for the purposes of sharing test and trace data in relation to complex cases. This processing relies on the Public Health Order 2017.
In addition Combined Authorities are recognised under Regulation 3(4) of the National Health Service (Control of Patient Information Regulations) 2002 (COPI).
These duties are in accordance with the following legal bases:
• GDPR Article 6(1)(e): the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
• GDPR Article 9(2)(h): the processing is necessary for the management of health or social care systems and services
• GDPR Article 9(2)(i): the processing is necessary for reasons of public interest in the area of public health
• DPA 2018 – Schedule 1, Part 1, s.3: Public Health
• DPA 2018 – Schedule 1, Part 1, (2)(2)(f): Health or social care purposes
Your rights as a data subject
The GDPR gives you the following rights over your information:
• Your right to get copies of your information
You have the right to ask for a copy of any information about you that is used.
• Your right to get your information corrected
You have the right to ask for any information held about you that you think is inaccurate to be changed.
• Your right to limit how your information is used
You have the right to ask for the use of any information held about you to be restricted. For example, you can ask this where you think the information GMCA is using is inaccurate.
• Your right to object to your information being used
You can ask for any information held about you not to be used. This is not an absolute right and GMCA may need to continue to use your information. We will tell you why if this is the case.
• Your right to get your information deleted
You can ask for any information held about you to be deleted. This is not an absolute right and GMCA may need to continue to use your information. We will tell you why if this is the case.
For more information on the GDPR and your rights, please visit the ICO website.
To find out what information we hold about you, you need to make a Subject Access Request in writing. If you wish to exercise any of your other information rights please contact us on OfficeOfDPO@greatermanchester-ca.gov.uk
If you are not satisfied with the response from us you can complain to the Information Commissioner’s Office. For further details on this and your information rights please visit the Information Commissioner’s Website.
Data Protection Officer (DPO)
The GMCA is required by law to have a DPO. The DPO has a number of duties, including:
- Monitoring the organisations compliance with data protection law;
- Providing expert advice and guidance on data protection;
- Acting as the point of contact for data subjects; and,
- Co-operating and consulting with the Information Commissioner’s Office (see ‘Complaints’ below).
The GMCA’s Data Protection Officer can be contacted by email at OfficeOfDPO@greatermanchester-ca.gov.uk