Sports field with goal posts and houses in the distance

Covid-19 Test and Trace Privacy Notice


This Privacy Notice sets out how the Greater Manchester Combined Authority (GMCA) will use information in its response to the coronavirus pandemic, including tracing and contacting people who have come into contact with persons who have tested positive for COVID-19 in the Greater Manchester area.

 We are committed to protecting your personal data and ensuring that it is processed fairly and lawfully. Information you provide to us will be processed in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018) and subsequent legislation.

Such information will be limited to what is legal, proportionate and necessary, taking into account the latest guidance issued by the Government and health professionals, in order  to provide the necessary support to those most vulnerable and in need and also to manage and contain the virus. 

A lot of what we will do with your personal data will be covered by existing powers in current laws and you can find out more information about how we process your information on the privacy policy and data protection page.

Important Note: As per latest legislative updates, the government has now stated that any employee must notify their employer if they have contracted Covid-19, as well as the start and end dates for their self-isolation period. This has replaced the previous guidance of a ‘strong recommendation to notify employers’, it is now an obligation.

What information do we collect and why?

 As a combined authority, we receive information from all ten of the local authorities based in Greater Manchester, as well as data directly from Public Health England (PHE) in order to effectively measure the health, mortality, or care needs of the region. We can use this data to anaylse the spread of the coronavirus which will allow us to plan, evaluate or monitor public health programmes, in order to protect and improve public health and wellbeing.

The data received falls into these categories:

1. Test Data

This is data that we will receive from Public Health England relating to all ten Local Authorities and its purpose is to identify and manage outbreaks across the Greater Manchester region. This data will be identifiable and can include age, gender, ethnicity, address, postcode, and occupation data. It relates to the positive cases identified by Public Health England and is refreshed almost every 24 hours. With this, GMCA are better equip to obtain the bigger picture of the effects of Covid within the entire region.

2. Contact Tracing Data

This data will be coming from both Public Health England and the ten Local Authorities. It is slightly different from the test data mentioned above, in that it will only be relating to positive cases which are complex or from complex settings. This will be used to provide direct support to those whom are finding it difficult to adhere to self-isolation measures. It may also be used for consequence management as a result of an outbreak in a complex setting, or providing prevention/proactive infection control advice and guidance.

The data items collected for contact tracing can include individuals’ details such as:

  • Full name
  • Date of birth
  • Sex
  • NHS number
  • Home postcode and house number
  • Telephone number and email address
  • COVID-19 symptoms, including when they started and their nature

How long the information is kept for?

 The information collected through Contact Tracing will be retained in line with national guidance and legal requirements as instructed. As the COVID-19 situation is changing on an almost daily basis, it is difficult to stipulate a definite retention period at this time.

This information may need to be retained because COVID-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.

 Legal basis for processing

 The GMCA will enter into an MOU (Memorandum of Understanding) with the ten Greater Manchester Local Authorities (GM LA’s) which will allow us to run concurrent powers relating to the duties placed on the GM LA’s in executing their public health functions initially for the purposes of COVID-19. This also enables Public Health England to recognise the GMCA as a Data Controller for the purposes of sharing test and trace data in relation to complex cases. This processing relies on the Public Health Order 2017.

These duties are in accordance with the following legal bases:

  • GDPR Article 6(1)(e): the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • GDPR Article 9(2)(h): the processing is necessary for the management of health or social care systems and services
  • GDPR Article 9(2)(i): the processing is necessary for reasons of public interest in the area of public health
  • DPA 2018 – Schedule 1, Part 1, s.3: Public Health
  • DPA 2018 – Schedule 1, Part 1, (2)(2)(f): Health or social care purposes

 COPI (Control of Patient Information) Regulations 2002 - Regulation 3(4) of the Health Service

 The GMCA are now also recognised as a Data Controller within the COPI Notice since it was extended in August to include Combined Authorities in the list of organisations required to process confidential patient information for purposes set out in Regulation 3(1). These purposes include NHS Test and Trace as well as other measures intended to help monitor and manage the Covid-19 outbreak.

Your rights as a data subject

 The GDPR gives you the following rights over your information:

  • Your right to get copies of your information

You have the right to ask for a copy of any information about you that is used.

  • Your right to get your information corrected

You have the right to ask for any information held about you that you think is inaccurate to be changed.

  • Your right to limit how your information is used

You have the right to ask for the use of any information held about you to be restricted. For example, you can ask this where you think the information GMCA is using is inaccurate.

  • Your right to object to your information being used

You can ask for any information held about you not to be used. This is not an absolute right and GMCA may need to continue to use your information. We will tell you why if this is the case.

  • Your right to get your information deleted

You can ask for any information held about you to be deleted. This is not an absolute right and GMCA may need to continue to use your information. We will tell you why if this is the case.

For more information on the GDPR and your rights, please visit the ICO website.

To find out what information we hold about you, you need to make a Subject Access Request in writing.  If you wish to exercise any of your other information rights please contact us on

If you are not satisfied with the response from us you can complain to the Information Commissioner’s Office. For further details on this and your information rights please visit the Information Commissioner’s Website.

Data Protection Officer (DPO)

The GMCA is required by law to have a DPO. The DPO has a number of duties, including:

  • Monitoring the organisations compliance with data protection law;
  • Providing expert advice and guidance on data protection;
  • Acting as the point of contact for data subjects; and,
  • Co-operating and consulting with the Information Commissioner’s Office (see ‘Complaints’ below).

The GMCA’s Data Protection Officer can be contacted by email at