Privacy Notice

Last updated on: 30-Jun-2021

Coronavirus COVID-19 Privacy Notice

This privacy notice explains how we will collect, use and protect personal data specifically with regard to the Coronavirus (COVID-19) pandemic.

Our Corporate Privacy Notice contains more information on how we collect, use and protect personal data generally, as well as your rights as a data subject.

You can also check our website for the latest updates on ‘Covid-19’.

You may have provided personal information to us for a specific reason and normally, we would notify you if your information was being used for a different purpose. However, due to the COVID-19 situation, this will not always be possible.

If we already hold information about your vulnerability as per guidance from the Government and Public Health England, we may share this information with services both internal and/or external to us. Your information will only be shared for emergency planning purposes and/or to protect your vital interests.

We may need your personal data, including sensitive personal information that you have not already supplied. For example, your age or if you have any underlying illnesses or are vulnerable. This is so we can assist you and prioritise our services.

If we have information indicating that you are vulnerable, we may contact you to ensure your safety and to assist you where possible.

If you are a volunteer, we use your personal information to enable us to communicate with you in order to provide support. If you require volunteer support we use your data to enable our volunteers to support you during the COVID-19 pandemic and to keep you in contact with vital services.

If you apply for 'Kent Together' community support, we will use the information passed onto us by Kent County Council, so that we can arrange the required assistance, as applicable, for you.

In order to contain clusters or outbreaks of Covid-19 and to assist NHS Test and Trace, if you (customer, visitor or staff) are accessing one of our buildings e.g. Civic Centre, Market building, Woodville or Art centre etc. we will ask you for specific information that has been set out in government guidance (see below).

NHS Test and Trace will ask for these records only where it is necessary, either because someone who has tested positive for COVID-19 has listed our premises as a place they visited recently, or because our premises have been identified as the location of a potential local outbreak of COVID-19.

If you have been told by the NHS to self-isolate, either because you have tested positive for COVID-19 or you have been in contact with someone who has tested positive, you may be entitled to some financial support. This may include self-isolation payment during your self-isolation period. If you are eligible, you will receive a £500 one-off Test and Trace Support payment or provision from the discretionary fund to remain at home. See our Privacy Notice for Self-Isolation Payment under the Test and Trace Support Scheme.

Processing activity

We may process personal information relating to:

  • The delivery of support or information about support available
  • the delivery of Kent County Council's 'Kent Together'
  • self-isolating payments
  • licences
  • fixed penalty notices
  • grant payments to businesses which have to close or are severely affected due to localised or widespread national restrictions being put in place – as directed by Government

Information requirements

Our processing activities may include:

  • name
  • address
  • contact details (email and telephone number)
  • organisation details
  • organisation activity
  • date of birth
  • medical history and GP contact details
  • health indicators (mental health status, physical activity status)
  • names and contact details for members of your family and support network
  • information about your support needs
  • Unique IDs
  • skills
  • information referred to in our Privacy Notice for Self-Isolation Payment under the Test and Trace Support Scheme.

NHS Contact Tracing

In relation to customers and visitors, we will record:

  • the name of the customer or visitor. If there is more than one person, we will record the name of the ‘lead group member’ and the number of people in the group, including any member of the group that has scanned a QR Code when seeking to enter other venues e.g. Market Building, The Woodville;
  • a contact phone number for each customer, visitor or ‘lead group member’;
  • email address;
  • postal address;
  • date of visit, arrival time and where possible, departure time for each customer, visitor and ‘lead group member’;
  • if a customer, visitor or ‘lead group member’ interacts with a member of staff, the name of the staff member will be recorded alongside that of the customer, visitor or ‘lead group member’.

In relation to staff, we will record:

  • the names of staff who work at the premises;
  • a contact phone number for each member of staff;
  • the dates and times that staff are at work.

Lawful bases

Our lawful bases for processing your personal information are:

  • where processing is necessary in order to protect the vital interests of yourself or another person. See (Articles 6(1)(d) and 9(2)(c) of GDPR);
  • where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. See (Article 6(1)(e) GDPR), pursuant to the:
  1. Local Government (Miscellaneous Provisions) Act 1976 - recreational facilities (test and trace)
  2. Public Libraries and Museums Act 1964 - maintenance of museums and galleries (test and trace)
  3. Health and Safety at Work etc. Act 1974 employer’s general duties to staff and persons other than staff (test and trace)
  4. Crime and Disorder Act 1998 – section 115 - sharing self isolation information with the Police (if there is evidence to suggest you are not complying with the duty to self-isolate without reasonable justification)
  5. Health Service (Control of Patient Information) Regulations 2002. This includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of the Control of Patient Information Notice (COPI). This is required for a Covid-19 purpose and processed solely for that Covid-19 purpose in accordance with Regulation 7 of COPI, controlling and preventing the spread of such diseases and risks
  6. Civil Contingencies Act 2004 and Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 – exercise of functions in an emergency
  7. Business and Planning Act 2020 - pavement licences
  8. Health Protection (Coronavirus, Restrictions) (No. 2) (England) Regulations 2020 – reg.9(13) (issue of fixed penalty notices)
  9. The Health Protection (Coronavirus, Restrictions) (Self-Isolation) (England) Regulations 2020 – reg 10(6) (self -isolation enforcement) and reg.12(12) (issue of fixed penalty notices)
  10. The Health Protection (Coronavirus, Collection of Contact Details etc. and Related Requirements) Regulations 2020 - requirement to request certain information from individuals, groups etc.
  • where processing is necessary for compliance with a legal obligation (Article 6(1)(c) UK GDPR)
  • where processing is necessary for the reasons of substantial public interest (Article 9(2)(g) UK GDPR)
  • where processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare (UK GDPR Article 9(2)(i))
  • Data Protection Act 2018 Schedule 1 Part 1 (2) - health or social care purposes

Recital (46) of the GDPR states: "The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person." For this purpose, we may process data to serve important grounds of public interest, including for monitoring epidemics and their spread.'

Reasons for processing

Some of the information that is collected and shared is classified as special category personal data (health indicators (mental health status, physical activity status). This is processed for reasons of substantial public interest under the laws that apply to us (see above) where this helps to meet our broader social obligations such as where it is necessary for us to fulfil our legal obligations and regulatory requirements during the COVID-19 pandemic. We have a Data Protection Policy that sets out how this information will be handled.

Data sharing

We may receive from and share your personal information with and including:

  • Our service departments (where necessary and proportionate)
  • Kent County Council including Adult Social Care and Health and Children’s Social Care
  • Central Government
  • General Practitioners, other medical practitioners
  • Emergency Services/First Responders
  • Voluntary and charity sectors
  • Register of volunteers
  • Healthy Living Centre Dartford
  • Other stakeholders (where necessary and proportionate)
  • NHS Test and Trace or public health officials, if requested

We may share information with Kent County Council to deliver the local tracing partnership. We may be asked for contact details (limited to address, phone and email information). We will interrogate our data sources, such as housing benefits, electoral register and council tax databases. See Kent County Council’s Kent Local Tracing Partnership Privacy Notice.

We aim to protect your privacy and confidentiality and will only share personal information where necessary to provide support.

We may rely on a number of exemptions, which allow us to share information without needing to comply with all the rights and obligations under the Data Protection Act 2018. Please refer to the Kent and Medway Information Agreement (hosted by Dartford Borough Council) for further details on our sharing arrangements.

Retention period

We will hold your data for the duration of the COVID -19 pandemic and up to three (3) months following notification from Central Government that there is no longer a pandemic. Our NHS Test and Trace log will be securely maintained for 21 days and then destroyed as soon as reasonably practicable, unless there is a lawful basis to retain the data.


Your personal information may be converted ('anonymised') into statistical or aggregated data in such a way that ensures that you cannot be identified from it. Aggregated data cannot, by definition, be linked back to you as an individual and may be used to conduct research and analysis, including the preparation of statistics for use in our reports.

We will not sell your personal information to third parties.

Right to object

Where processing your personal information is required for public interest task (see our lawful bases), you have the right to object on ‘grounds relating to your particular situation’. We will have to demonstrate why it is appropriate for us to continue to use your personal data.

Changes to this Privacy Notice

We will review this Privacy Notice regularly and will place updates on our website.

Further information

See the Information Commissioner’s FAQs on data handling during the COVID-19 pandemic.


Was the information on this page helpful?

Let us know