General News

COVID-19 National Testing Programme: Schools & Colleges handbook

We've had some questions now that the privacy notice in the COVID-19 National Testing Programme: Schools & Colleges handbook has been published.

The link to the Handbook seems to be broken, but we have a copy here:

pdf Schools Colleges Testing Handbook revised 04012021 (1010 KB)

With associated resources (including the Privacy Notice template) available here:

We are happy with the language and content of the Privacy Notice but wanted to emphasise that there is some editing required and that as with all privacy notices, this should be made available prior to the data being collected.

The legal obligation for processing

For explanatory purposes in Paragraph 2 of the Privacy Notice related to the legal obligation for processing data relating to tests for pupils:

For Maintained schools: Section 175 of the Education Act 2002

For Academies: paragraph 7 of the Schedule to the Education (Independent School Standards) Regulations 2014 

Non-Maintained Special Schools: paragraphs 3 and 14 of the Schedule to the Non-Maintained Special Schools (England) Regulations 2015

These paragraphs specifically emphasise the responsibilities around the welfare of pupils and that guidance needs to be followed when issued by the Secretary of State.

Consent is not the lawful basis of processing data. The consent form is about participation in the test. That's why the age of consent referenced is different from the age of consent for data processing. 

If consent is not provided for participation, that data can and will be recorded and processed lawfully.

Lastly, record keeping. This is special category data relating to health. Just because this is a large project with high throughput and recording of data does not mean that data should not be kept unsecured. Make sure your processes include data and forms kept out of view and secured.

This includes the spreadsheets that you are asked to use to record test results. When using computers, do not leave them unattended and unlocked. And keep the files secure on the network or cloud storage access controlled and only available to the users who need access. 

Review the Records Management Best Practice Area for further guidance