Data Protection considerations for re-opening the University campus
Structure and governance
As part of the University's preparations to re-open the campus for the new academic year, we have implemented several initiatives to reassure staff, students and visitors to campus that the University is doing its best to:
- take care of the community
- help identify employees, students or visitors who may be experiencing COVID-19 symptoms
- provide real-time infection data on the University population
In so doing, some of the initiatives may involve processing personal data and special category data (health and ethnicity data) about individuals.
The purpose of this page is to provide as much information as possible about why this data is needed, who it will be shared with and how long it will be kept.
This information will be relevant to all of the processing involved in re-opening the campus, but details relating to specific initiatives can be found under the separate headings below. This article will be updated as often as necessary but if you have any questions which are not answered here, please feel free to send an email to the email@example.com email address or telephone +44 (0)23 92843642 or +44 (0)23 92863103
The University already has individual data protection statements for staff and students that explain how personal and special category data is processed within the University, so the following information is specifically concerned with the extra processing envisaged for dealing with initiatives on campus in response to COVID-19 concerns.
It is always necessary to have a legal basis for processing personal data, and in relation to the personal data that could be processed under the proposed initiatives, for example, name and contact details, it is believed those most appropriate are that the processing is necessary:
- For compliance with a legal obligation to which the University is subject (H&S legislation) (GDPR Article 6(1)(c))
- For the performance of a task carried out in the public interest (GDPR Article 6(1)(e))
- For the purposes of the legitimate interests pursued by the University (GDPR Article 6(1)(f))
If it is necessary to collect special category data (health or ethnicity data), the appropriate legal bases will be that the processing is necessary:
- For the purposes of carrying out the obligations and exercising specific rights of the University or of individual data subjects in the field of employment and social security and social protection law (GDPR Article 9(2)(b) and Data Protection Act 2018 Schedule 1 Part 1, s1(1)(a))
- For reasons of public interest in the area of public health such as protecting against serious cross-border threats to health (GDPR Article 9(2)(i))
- For reasons of public interest in the area of public health and is carried out by or under the responsibility of a health professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law (Data Protection Act 2018, Schedule 1, Part 1(3)).
The University is committed to only processing the data that it is necessary to process to achieve the objectives of identifying any possible infections and providing reassurance to staff, students and visitors of the steps being taken to prevent a rise in infections. This data will (where possible) be held electronically for 21 days in secure, access controlled areas of University systems and securely deleted when the data is no longer needed. If it is necessary to keep data in a paper form - for example, check-in details for campus cafes, this will be held securely in locked cabinets and shredded after 21 days. The only exception to only retaining data for 21 days may be when data can be anonymised and used for statistical analysis or research purposes, but individuals will not be identifiable from this anonymised data.
The majority of the personal data processed will be retained within the University for University purposes (within HR, Occupational Health, Health & Safety, line managers). It may be necessary to share some personal data with external organisations, for example, the NHS or Public Health England (PHE), but this will be if it is required by those organisations and only the minimum data necessary will be shared via secure electronic means.
The University has an agreement with Portsmouth City Council (PCC), that the PCC will share data it receives from Public Health England with the University, in order to identify individuals within the University community with, or at risk of, Covid-19 with the view to contacting, logging, screening and providing services to help those individuals.
In line with the requirement to always only process the minimum necessary amount of personal data, if an incident occurs within the University where it is believed / known that you have had contact with an individual who has contracted the Covid-19 virus, you will be informed of that fact and any actions you may need to take to protect yourself. You will not usually be told the name of the individual who has contracted the virus.
Data Subject rights
Everyone has the right to access their data held by the University (a Subject Access Request) at any time. The University has a calendar month in which to respond to a Subject Access Request, but if the only data you require is any that may have been collected as part of the preparations to re-open the campus, it will be possible to obtain that faster than usual. Please use the contact details below to discuss this access to your data and any other issues you wish to raise about your personal data at this time.
If you are a member of staff, now would be a good time to refresh your training in data protection and information handling practices. Please go to the University’s Moodlesite to take the relaunched Information Governance training.
NHS Test and Trace
The University may be required to provide information to the NHS Test and Trace service if contacted by that organisation, in relation to someone who has attended the University campus and who has tested positive for COVID-19.
Staff and students
If requested, we will provide details relating to staff and students such as their name and contact details, and dates and times when those individuals were on campus where this is known, for example, Library turnstile data, attendance monitoring records or timetable data.
We may also provide the contact details of individuals with whom that member of staff may have had contact, if requested.
Contractors and visitors
We will record the following data relating to contractors and other visitors to the University campus, for the purposes of providing this data to the NHS Test and Trace programme if required, in line with Government requirements:
- Name of the individual or of the leader of a group plus the number of individuals in the group
- Contact telephone number
- Date of the visit plus, is possible, arrival and departure times
- Details of staff members with whom the group interacted
This data will be provided on behalf of the University by the Health and Safety Covid-19 team within the University, but staff should be aware that if they are contacted directly by someone asking for this information, it would only be a valid enquiry if:
- a telephone call was received from 0300 013 5000, which is the NHS Test and Trace programme central number
- a text was received from NHS Tracing
- you are advised to sign into the NHS Test and Trace webpages, but only through searching for that website, not entering a URL provided by anyone
If you believe the request is a possible scam, please refer it to the IS Service desk on ext. 7777 or firstname.lastname@example.org.
The temperature-screening programme aims to identify employees, students, contractors and visitors to the University who may be experiencing a raised temperature, one of the possible COVID-19 symptoms, and to monitor statistics of those scanned and those showing a raised temperature, which might be an indicator of COVID-19.
The Temperature screening programme has 2 phases.
In the first phase (thermal imaging), no personal data is collected. A scan of an individual approaching the scanner will be taken and a message displayed on a screen visible only to the person approaching the scanner. The image and message displayed will not be recorded in a way that personally identifies any individual. The only record kept will be an anonymous record of how many scans are completed and how many of the two messages (elevated temperature or no elevated temperature) were displayed.
If your temperature is below 37.8 degrees Celsius (100 degrees Fahrenheit) you will be able to enter the building.
If your temperature is above 37.8 degrees Celsius (100 degrees Fahrenheit) an alert will sound and you will be shown a message explaining the next steps you need to take. If an alert is sounded twice, you will need to return home to follow the guidance on returning home to self-isolate. You will need to contact the University’s Health and Safety Team, when it may be necessary to discuss and record personal and special category data (the Second phase of the programme). The Health and Safety Team will, however, only keep a record of relevant details collected in this phase. This will include, but is not limited to, the name and email address of any individual that notifies Health and Safety that they are returning home to self-isolate following an alert of an elevated temperature as signalled by the scanner, although if the individual volunteers any further data this may also be processed if it is relevant to their situation. The notification that an individual is self-isolating will be recorded, as will the fact that the individual has notified the University’s Health and Safety Team of a positive COVID-19 test if this is then confirmed. This information may be provided to that individual's line manager, the Human Resources Department and the Estates and Campus Services Department.
The University provides staff and students with the opportunity to take a Covid-19 test if they wish, even though they may not be experiencing any Covid symptoms (asymptomatic testing).
Individuals are asked to book an appointment at the testing site, and on arrival at the site, will be asked to complete a data sheet which will include their name, staff / student name and ID number, phone number and email address.
The screening tests are initially administered by an external company – NTL Biologica – which will associate the results with the personal data provided in order to provide the individual with their results. The results of the swab test will be shared directly with the individual tested and copied to the University so that an overview of the infection rate within the University can be assessed. NTL Biologica will not retain any personal data once the results have been provided to the individual.
If the screening test suggests that an individual might have COvid-19, they will then be asked to return to the testing site for a full COiv-19 swab test which will be sent to QA hospital for processing, along with the personal data already provided by the individual so that the hospital can provide the individual with the results of the test. If an individual tests positive for Covid-19 this data will be provided to the University’s Occupational Health department to follow up with the individual.
Please send an email to email@example.com or phone +44 (0)23 92843642 or +44 (0)23 92863103 if you have any remaining queries about how your data may be processed in relation to COVID-19 precautions.