About this policy
Note: due to the evolving nature of COVID-19 response, it may be necessary to enhance the Service. This may include changing the way we process personal data it captures and who we share it with. However, personal data will always be processed in accordance with data protection laws and this privacy notice will be updated to reflect any changes to the Service.
Learn more about coronavirus (COVID-19).
Our commitment to protecting your personal information
Whenever you provide personal information to a third party, that party is legally obliged to use your information in line with data protection law.
We take the security of your personal information seriously. We've set up security measures, policies and procedures such as:
- training all staff annually in data and security protection
- monitoring our platform to keep your personal information secure
- following good practice guidance provided by the National Technical Authority
- always using legally binding agreements with all organisations we use
- having security and confidentiality policies in place across the organisation, to which staff must agree before they're given access to personal information
- restricting access to personal information to only those staff who need access to perform their role
The Service and who we are (Controller's contact details)
The Service allows a user to:
- Get an isolation note as an alternative to obtaining a GP fit note (sometimes referred to as a sick note) to evidence that you or a person you live with and/or care for was instructed to stay at home. This can then be used for sick pay purposes.
- Check an isolation note enabling an authorised individual or body, such as an employer, to verify it is valid.
The Service also provides a public-facing helpdesk for user queries relating to the functionality of the service.
NHS Digital also operates the NHS 111 online service, including the NHS 111 online coronavirus service.
NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. Find out more about NHS Digital.
NHS Digital is the controller for the personal data we process, unless otherwise stated.
You can contact us by post, telephone or email. More details are available on our contact page.
Our postal address is:
1 Trevelyan Square
Telephone: 0300 303 5678
Our Data Protection Officer
Our Data Protection Officer, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, can be contacted via email@example.com.
Our legal basis for processing personal data
The Department of Health and Social Care on behalf of the Secretary of State has directed NHS Digital under s.254 of the Health and Social Care Act 2012 to collect and analyse data in connection with COVID-19 and set up a system to collect this data. This includes the "Get an isolation note" service and the "Check an isolation note" service. The legal direction is titled COVID-19 Public Health Directions 2020 dated March 2020.
Our legal basis for processing your personal data under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) is:
- GDPR Article 6 (1) (c) – processing is necessary to comply with a legal obligation
- GDPR Article 6 (1) (e) – processing is necessary for the performance of a task carried out in the public interest
- GDPR Article 9 (2) (g) – processing is necessary for reasons of substantial public interest
- DPA 2018 – Schedule 1, Part 2, (6) (1) – Statutory and government purposes
- GDPR Article 9 (2) (h) – processing is necessary for the management of health or social care systems and services
- DPA 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes
- GDPR Article 9 (2) (i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health
- DPA 2018 – Schedule 1, Part 1, (3) – Public health
If you agree to take part in feedback or surveys about the Service, our legal basis for processing your data in this context is consent (GDPR Article 6 (1) (a)).
What information we collect about you and how it is used
The information processed for the purposes of the Service can be split into several different categories.
Details of the information and personal data falling within each of the categories where NHS Digital is the controller are set out below.
|Category of information||Personal data||Special categories of personal data|
|Service audit data||Information captured against the user's Client IP Address about your use of the Service, such as the time of use, actions you took using the Service, and associated technical log events. Used to diagnose problems, understand usage by individuals and the Service as a whole.||None|
|Service isolation note data
Collected for "Get an isolation note" service only
|Details of the user (name, date of birth, reason(s) for self-isolation, start date of self-isolation) used to personalise the isolation note and their email address used to send it to them through GOV.UK Notify (our processor).||Yes – the reason(s) for self-isolation may contain a limited quantity of health data reflecting a coronavirus diagnosis for you or a person you care for.|
|Service helpdesk information||The personal data you provide if you contact the helpdesk; could include information about your use of the Service.||None|
|Service helpdesk feedback and surveys||The personal data you provide if you provide feedback such as responding to one of our surveys.||None|
Who we share your data with
If you are using the "Check an isolation note" service we do not share any of your personal data in an identifiable form.
We will also share aggregate (non-personal) data with the Department of Health and Social Care (including NHS England, NHSX, Public Health England) and the Department of Work and Pensions. This will be used to understand service usage and performance.
How NHS Digital uses your personal data and why
The processing of your personal data is necessary to provide you with the Service and ensure the functionality of the Service.
We may need to share your personal information if we are required to do so by law.
How long we keep your data for
|Category of information||Retention period|
|Service audit data||6 years after the audit event occurred|
|Service isolation note data
Collected for "Get an isolation note" service only
|8 years after the isolation note was issued|
|Service helpdesk information||12 months|
|Service helpdesk feedback and surveys||12 months|
Where this data is stored and processed
We only store and process your personal data within the UK.
Under data protection law you have certain rights. The rights available to you depend on our reason for processing your data. These rights are listed below:
- to know how your data will be collected, processed and stored, and for what purposes
- to withdraw your consent (only applies for service helpdesk feedback and surveys)
- to request a copy of your personal data
- to correct your personal data errors or omissions
- to request we delete your personal data (only applies for service helpdesk feedback and surveys)
- to request we restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected before it's used)
You can read more about your rights and when they apply on the Information Commissioner's Office's (ICO) website.
Your right to complain
If you wish to raise a complaint about how NHS Digital uses your data, visit our feedback and complaints page. You also have the right to raise a concern with the Information Commissioner's Office at any time.
Points of contact for queries
If you have any queries in relation to the use of your personal data within the Service, or in the Service generally, see the information on our help and support page in the first instance.
Page last reviewed: 7 April 2020
Next review due: 7 October 2020