Privacy notice

On 28 September 2020, the government passed into law a national Test and Trace support scheme. From 12 October 2020, a one-off payment of £500 or access to a discretionary fund was available for eligible individuals. 

If you applied, we needed to process your personal data to assess whether you were eligible to receive financial support, and if so, to provide a payment to you. This privacy notice sets out what personal data we used, how we used it, and why we need to, when an applicant applied for support. 

Data controller 

The Department of Health and Social Care (DHSC) commissioned NHS Test and Trace, on behalf of the government, and is the data controller for the purposes of providing Medway Council Test and Trace data.

Medway Council are the data controller for the purposes of assessing eligibility, administering and making payments under the Test and Trace Support scheme. 

If you have been told by the NHS to self-isolate, either because you have tested positive for coronavirus (COVID-19) or you have been in contact with someone who has tested positive, you may be entitled to some financial support during your self-isolation period. 

About self-isolation payments

People who are eligible will receive a £500 one-off Test and Trace Support payment, or provision from the discretionary fund, to remain at home to help stop the spread of the virus. 

Categories of personal data we collect and process 

We collect and process the personal data that you provide to us when completing your application for a self-isolation support payment, which may include: 

  • full name
  • full residential address
  • email address
  • mobile phone number
  • home phone number
  • proxy applicant details (as above where you may nominate someone else to complete this application on your behalf)
  • employer name and address
  • NHS notification number (the unique reference you will be given by NHS Test and Trace Service to self-isolate)
  • bank account details
  • your National Insurance number
  • proof of self-employment, for example a recent business bank statement (within the last 2 months), most recent set of accounts or evidence of self-assessment.

Source and categories of personal data 

We will obtain data from the NHS Test and Trace Service to confirm that you have either tested positive for COVID-19 or you have been in close contact with someone who has tested positive for COVID-19. As this data is related to your health it is referred to as ‘special category data’. 

You or your nominated representative will also provide us with additional personal data in relation to your application for a self-isolation payment. 

What we use your personal data for

We will carry out checks with the NHS Test and Trace Service and the Department for Work and Pensions (DWP), for verification purposes, Her Majesty’s Revenue and Customs (HMRC), for tax and National Insurance purposes, and potentially with your employer when validating your application.   

Information relating to your application will also be sent to the DHSC (Department of Health and Social Care) to help understand public health implications, allow us to carry out anti-fraud checks and determine how well the scheme is performing.  

To validate your bank account details, we need to share relevant information you've given us with TransUnion. This will be used to ensure your Test and Trace Support Payment is paid to the correct bank account and to help prevent fraudulent use of the Test and Trace Support Payment scheme. This is not a credit check and will not impact your credit rating. Find out more about how TransUnion may use your data

Medway Council may verify some of the information with other departments within the council. Medway Council may use the information provided to update other departments in the council.

We will not share this data with other organisations or individuals outside of Medway Council for any other purpose. 

We will provide information to HMRC in relation to any payments we make, because self-isolation payments are subject to tax and National Insurance contributions. If you are self-employed, you will need to declare the payment on your Self Assessment tax return. 

Our lawful basis for processing the personal data 

We must have a legal basis to process your personal data. Our lawful basis in the processing that we’ll undertake in assessing your eligibility for, and in making any self-isolation payment to you, is based on a legal obligation.  

Where we use personal information to confirm that someone is eligible for a self-isolation payment, the sections of the law that apply are: 

  • GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 
  • GDPR Article 9(2)(i) - processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare; 
  • Data Protection Act 2018 Schedule 1 Part 1 (2) - health or social care purposes.

Separately, we have special permission from the Secretary of State for Health and Social Care to use confidential patient information without people’s consent for the purposes of diagnosing, recognising trends, controlling, preventing, monitoring and managing communicable diseases and other risks to public health.  

This is known as a ‘section 251’ approval and includes, for example, using your test results if you test positive for COVID-19 to start the contact-tracing process.  

The part of the law that applies here is section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002. 

You can find more information in the NHS Contact Tracing Privacy Notice.

Data processors and other recipients of your data 

These are the recipients with which your personal data is shared: 

  • Her Majesty’s Revenue and Customs (HMRC) for tax and National Insurance purposes
  • your employer for verification checks purposes

International data transfers and storage 

We do not transfer data internationally. See our financial services privacy policy.

Personal data disposal and retention 

We will only keep your personal data for as long as it is needed for the COVID-19 emergency, and for audit and payment purposes. 


Cookies are small text files that are placed on your browser. Find out how we use cookies.

Your rights as a data subject 

By law, you have a number of rights as a data subject and this does not take away or reduce these rights. Your rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies. 

All information is processed in line with the Medway Council’s data protection policy.

These rights are: 

  • your right to get copies of your information: you have the right to ask for a copy of any information about you that is used
  • your right to get your information corrected: you have the right to ask for any information held about you that you think is inaccurate, to be corrected 
  • your right to limit how your information is used: you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used. 
  • your right to object to your information being used: you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case
  • your right to get information deleted: this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you're unhappy or wish to complain about how your personal data is used as part of this programme, you should contact Medway Council in the first instance.  

If you are still not satisfied, you can complain to the Information Commissioner's Office. Their address is: 

Information Commissioner's Office 
Wycliffe House 
Water Lane 
SK9 5AF 


We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level. 

Data Protection Officer 

Data Protection Officer 
Information Governance Team 
Legal Services 
Medway Council 
Gun Wharf 
Dock Road 
ME4 4TR 


Automated decision making or profiling 

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.  

Changes to our policy 

We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on our website. This privacy notice was last updated on 22 February 2021.