top of page
  • dpadviceservice

Data Protection in Schools: track and trace data and Covid-19 testing

25th January 2021

Whilst the government have put the lateral flow testing plans on hold, many schools are still carrying out testing of staff. I have received several queries on this and thought it might be useful to set out the FAQs below.

We are carrying out testing of staff, do we have any data protection considerations?

Yes. You will be processing personal information and will therefore need to consider GDPR and the Data Protection Act 2018 when recording the test information.

The personal data includes medical information (the test results), this is special category data and extra care should be taken when processing.

Special category data requires a legal basis for processing under Article 6 GDPR and a separate condition for processing under Article 9 GDPR.

Should we carry out a risk assessment before carrying out the testing?

As you will be processing special category data, it is important to establish the risks involved with your collection, storage and sharing of this test data. The best way to do this, is to carry out a Data Protection Impact Assessment (DPIA).

As part of your risk assessment, you should consider:

· What personal information you are collecting,

· How you are collecting the information,

· Where you are recording the information and test results,

· Where you are storing consent for testing,

· Who you are sharing the information with (if applicable).

What lawful basis do we have for carrying out the tests?

Most schools are carrying out optional staff testing, meaning that staff will be required to consent to being tested. If this is the case, you will need to have prepared an appropriate consent form for staff to sign or notified staff that the testing is optional and that by taking the test, they are consenting to you holding their test result information.

If you wish to make it mandatory for staff to test, then you could rely on legitimate interests.

*Please note, that whilst it may be acceptable to make testing mandatory from a data protection perspective, there are other issues that may prohibit you from making testing mandatory e.g., employment law, equality laws or Health and Safety regulations.

As you are processing special category data, you will also need to identify a relevant Article 9 condition for processing this data. It is likely that you will rely on either the employment condition (Health and Safety) or the Public Interest condition (wider school community).

You will need to identify your Article 9 condition whatever lawful basis you seek to rely on.

Are we allowed to record the test results?

Yes. You can record test results alongside your staff personal data but you must ensure that you have put measures in place to ensure the security of this information. You should consider where you are recording this information, who can access the records and whether the records could be accessed unlawfully (e.g. through hacking).

If you are asking staff to test themselves, you should consider how you are asking those staff members to communicate the results with you. If they are emailing the results, it should be done via school email accounts to improve the security.

Where should we record the test results?

There is not a proscribed place where results should be recorded, each school will have different practices. It is up to you to consider where you think the most appropriate place for your records would be.

It would be better to keep electronic records to avoid paper records becoming lost.

You should ensure that your electronic records are stored on the secure school network and are only accessible for those who need access. You should consider whether you require greater safeguarding measures in place, such as password protected documents.

What information do we need to provide to staff regarding the testing?

You should provide staff with details about the testing process, what information you are planning to collect about them for the purposes of the testing process, where that information is going to be stored and who (if applicable) that information is going to be shared with.

The information can either be provided to staff in a separate privacy notice for Covid-19 testing or in your consent form/letter.

If a member of staff tests positive, you will need to communicate that information with anyone who has come into contact with that staff member. You should do this without sharing the name of the member of staff who has tested positive. Whilst it is likely to be obvious who the member of staff is, you should avoid telling others. You should only notify people who need to know e.g. those who will need to self-isolate or have a Covid test following close contact.

Can I make testing/recording test results mandatory for all staff?

As mentioned above, this is not just a data protection consideration.

Whilst it may be possible to justify making testing mandatory for all staff from a data protection perspective, there are other laws to consider.

Please see the ‘what lawful basis do we have for carrying out the tests’ section above.

How often should we check staff for symptoms or test employees?

This depends on how you are operating during the lockdown. Staff members who are in school and in contact with pupils on a daily basis may be encouraged to test more frequently that office staff who are in contact with fewer people.

The testing, and processing of test data, should be reasonable and proportionate to the specific circumstances of the staff member’s role.

If a member of staff has a test done through the NHS track and trace system, can we record the result of that test?

Yes, if the member of staff discloses this information to you, you can record it as long as you notify the staff member that you are going to do this. It would be best practice to ask staff to notify you of any positive test and include information about recording any track and trace results with your Covid-19 testing privacy notice/consent form.

You should ensure that you store this information securely and only share the information if this is necessary.

Do we require a privacy notice for staff to cover the testing?

No. You are required to notify staff members about how you are going to process their personal information and it is unlikely that your existing privacy notice will cover recording of the test results. You may, therefore, decide that the best way to notify staff about this data processing is through a privacy notice.

Alternatively, you may be able to provide all the relevant information in your consent form.

Do we require consent forms from our staff?

If you are relying on consent as your lawful basis for processing the test data then you will need to obtain a consent form for each of your staff.

You should make it clear what you are asking the staff member to consent to, where you will store their consent information and what their rights are (e.g. with withdrawing consent).

You should make it clear that if a staff member withdraws consent after carrying out several tests, you will still retain the existing test results for as long as you have determined necessary under your Data Protection Impact Assessment.

Should we notify others if a member of staff tests positive?

Yes, it would be necessary to contact those who have been in close contact with that member of staff. You should avoid disclosing any information that is not necessary and you should only notify staff who are directly affected.

Do we need a plan in place for retention of the test data?

Yes. As with all your personal data, it is important to have a plan in place for how long you will store the data and what you will do to securely dispose of the data when you no longer need it.

It is difficult to determine the retention period as we are still in a national lockdown and don’t yet have a defined end date for the data being required. It is important to note this in your risk assessment and to build in regular periods when you propose to monitor/review the retention of this data.

If you require any further guidance or assistance with any data protection matters, please contact me at

10 views0 comments

Recent Posts

See All


bottom of page