Data Protection considerations for re-opening the University campus
Structure and governance
As part of the University's preparations to re-open the campus for the new academic year, we will be implementing several initiatives to reassure staff, students and visitors to campus that the University is doing its best to:
- take care of the community
- help identify employees, students or visitors who may be experiencing COVID-19 symptoms
- provide real-time infection data on the University population
In so doing, some of the initiatives may involve processing personal data and special category data (health data) about individuals.
The purpose of this page is to provide as much information as possible about why this data is needed, who it will be shared with and how long it will be kept.
This information will be relevant to all of the processing involved in re-opening the campus, but details relating to specific initiatives can be found under the separate headings below. This article will be updated as often as necessary but if you have any questions which are not answered here, please feel free to send an email to the email@example.com email address or telephone +44 (0)23 92843642 or +44 (0)23 92863103.
The University already has individual data protection statements for staff and students that explain how personal and special category data is processed within the University, so the following information is specifically concerned with the extra processing envisaged for dealing with the preparations to re-open the campus in response to COVID-19 concerns.
It is always necessary to have a legal basis for processing personal data, and in relation to the personal data that could be processed under the proposed initiatives, for example, name and contact details, it is believed those most appropriate are that the processing is necessary:
- For compliance with a legal obligation to which the University is subject (H&S legislation) (GDPR Article 6(1)(c))
- For the performance of a task carried out in the public interest (GDPR Article 6(1)(e))
- For the purposes of the legitimate interests pursued by the University (GDPR Article 6(1)(f))
If it is necessary to collect special category data (health data), the appropriate legal bases will be that the processing is necessary:
- For the purposes of carrying out the obligations and exercising specific rights of the University or of individual data subjects in the field of employment and social security and social protection law (GDPR Article 9(2)(b) and Data Protection Act 2018 Schedule 1 Part 1, s1(1)(a))
- For reasons of public interest in the area of public health (GDPR Article 9(2)(i)
The University is committed to only processing the data that it is necessary to process to achieve the objectives of identifying any possible infections and providing reassurance to staff, students and visitors of the steps being taken to prevent a rise in infections. This data will generally be held electronically for 21 days in secure, access controlled areas of University systems and securely deleted when the data is no longer needed. The only exception to this may be when data can be anonymised and used for statistical analysis or research purposes, but individuals will not be identifiable from this anonymised data.
The majority of the personal data processed will be retained within the University for University purposes (within HR, Occupational Health, Health & Safety, line managers). It may be necessary to share some personal data with external organisations, for example, the NHS or Public Health England (PHE), but this will only be if it is required by those organisations and only the minimum data necessary will be shared via secure electronic means.
In line with the requirement to always only process the minimum necessary amount of personal data, if an incident occurs within the University where it is believed / known that you have had contact with an individual who has contracted the Covid-19 virus, you will be informed of that fact and any actions you may need to take to protect yourself. You will not usually be told the name of the individual who has contracted the virus.
Data Subject rights
Everyone has the right to access their data held by the University (a Subject Access Request) at any time. The University has a calendar month in which to respond to a Subject Access Request, but if the only data you require is any that may have been collected as part of the preparations to re-open the campus, it will be possible to obtain that faster than usual. Please use the contact details below to discuss this access to your data and any other issues you wish to raise about your personal data at this time.
If you are a member of staff, now would be a good time to refresh your training in data protection and information handling practices. Please go to the University’s Moodle site to take the relaunched Information Governance training.
Please send an email to firstname.lastname@example.org or phone +44 (0)23 92843642 or +44 (0)23 92863103 if you have any remaining queries about how your data may be processed in relation to COVID-19 precautions.
NHS Test and Trace
The University may be required to provide information to the NHS Test and Trace service if contacted by that organisation in relation to someone who has attended the University campus and who has tested positive for COVID-19.
Staff and students
If requested, we will provide details relating to staff and students such as their name and contact details, and dates and times when those individuals were on campus where this is known, for example, Library turnstile data, attendance monitoring records or timetable data.
We may also provide the contact details of individuals with whom that member of staff may have had contact, if requested.
Contractors and visitors
We will record the following data relating to contractors and other visitors to the University campus, for the purposes of providing this data to the NHS Test and Trace programme if required, in line with Government requirements:
- Name of the individual or of the leader of a group plus the number of individuals in the group
- Contact telephone number
- Date of the visit plus, is possible, arrival and departure times
- Details of staff members with whom the group interacted
This data will be provided on behalf of the University by one named member of staff within the University but staff should be aware that if they are contacted directly by someone asking for this information, it would only be a valid enquiry if:
- a telephone call was received from 0300 013 5000, which is the NHS Test and Trace programme central number
- a text was received from NHS Tracing
- you are advised to sign into the NHS Test and Trace webpages, but only through searching for that website, not entering a URL provided by anyone
If you believe the request is valid, it should be passed to the named member of staff referred to above to answer.
If you believe the request is a possible scam, please refer it to the IS Service desk on ext. 7777 or email@example.com.
The temperature-screening programme aims to identify employees, students, contractors and visitors to the University who may be experiencing a raised temperature, one of the possible COVID-19 symptoms, and to monitor statistics of those scanned and those showing a raised temperature, which might be an indicator of COVID-19.
The Temperature screening programme has 2 phases.
In the first phase (thermal imaging), no personal data is collected. A scan of an individual approaching the scanner will be taken and a message displayed on a screen visible only to the person approaching the scanner. The image and message displayed will not be recorded in a way that personally identifies any individual. The only record kept will be an anonymous record of how many scans are completed and how many of the two messages (elevated temperature or no elevated temperature) were displayed.
If a message is displayed advising the individual to contact a member of the University’s Health and Safety Team, it may be necessary to discuss and record personal and special category data for that individual (the Second phase of the programme). The Health and Safety Team will, however, only keep a record of relevant details collected in this phase. This will include, but is not limited to, the name and email address of any individual that notifies Health and Safety that they are returning home to self-isolate following an alert of an elevated temperature as signalled by the scanner, although if the individual volunteers any further data this may also be processed if it is relevant to their situation. The notification that an individual is self-isolating will be recorded, as will the fact that the individual has notified the University’s Health and Safety Team of a positive COVID-19 test. This information may be provided to that individual's line manager, the Human Resources Department and the Estates and Campus Services Department.