Covid-19 (Coronavirus)

High risk groups

This privacy notice is to make it easier to understand and provide you with more information about how Maidstone Borough Council may seek to collect and hold information about you in relation to the unprecedented challenges we are all facing during the Coronavirus pandemic (COVID-19).

At this time, Maidstone Borough Council may seek to collect and process your personal data in response to the recent outbreak of Coronavirus, which is above and beyond what would ordinarily be collected in order to ensure your safety and well-being.

Such information will be limited to what is proportionate and necessary, taking into account the latest guidance issued by the Government and health professionals, in order to manage and contain the virus.

It will enable the Council to effectively fulfil our functions to keep people safe, put contingency plans into place to safeguard those vulnerable and aid business continuity.

What personal data is being collected?

In order to best respond and help coordinate the community response for COVID-19 it is necessary to collect:

Basic details including your name, address, telephone number and email address.  We may also need to collect details about your health to identify if you (or those closely linked to you) are in any of the high-risk categories and would be considered vulnerable, if infected with coronavirus.

Who is processing your data?

All personal data held, is processed in accordance with data protection law. The Data Controller for the information outlined in this privacy notice is Maidstone Borough Council.

How we will use the information we hold about you?

We will use the information you provide to:

  • Connect you to support in the community as part of the COVID-19 response.
  • To analyse your information in order to improve the services we offer.

What is your lawful basis for processing your personal data?

The legal basis for processing the data is in the public interest to deal with the outbreak of COVID-19.

The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful.  These relevant conditions are below:

  • Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
  • Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
  • Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Section 8(c) of the Data Protection Act sets out that such a task must be necessary for the performance of a function conferred on a person by an enactment or rule of law.
  • The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met. These further relevant conditions are below:
    • Article 9(2)(i) – is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
    • Schedule 1, Part 1(1) – is necessary for the performance or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, e.g. Health and Safety at Work Act 1974.
    • Schedule 1, Part 1(3) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, e.g. Governmental guidance published by Public Health England

Who we will share your information with?

We will not share your information with anyone else unless required to do so under additional legal requirements, for example to assist the government in containing the spread of COVID-19.   This may be where we are required to do so by law, to safeguard public safety, and in risk of harm or emergency situations.

Information will not be shared with other parts of the Council for any other non-related purposes.

Any information which is shared will only be shared on a need to know basis, with appropriate individuals. Only the minimum information for the purpose will be shared.

How long will my personal data be retained by the Council?

The Council will only keep your information for as long as it is necessary, taking into account of Government advice and the ongoing risk presented by coronavirus. At a minimum the information outlined in this privacy notice will be kept for the duration of the COVID-19 response.

Information provided in relation to this outbreak of coronavirus will not be used for any other purpose, including to be held within personnel files ‘just in case’ it may be needed again.

When the information is no longer needed for this purpose, it will be securely deleted.

Your rights

If you are not happy about the way your personal data is being processed you can complain directly to the Data Protection team.

You also have the right to complain to the Information Commissioner’s Office (ICO).

Information Commissioner's Office,
Wycliffe House,
Water Lane,

Phone: 08456 30 60 60 (local rate) or 01625 545 745 if you prefer to use a national rate number
Email: Information Commissioner's Office email
Website: Information Commissioner's Office website

If you require further information about how we process your personal data, you can contact our Data Protection Officer.

NHS Test and Trace

What information do we collect from you

As a customer/visitor of a Maidstone Borough Council owned-site you will be asked to provide some basic information and contact details. The following information will be collected:

  • the names of all customers or visitors, or if it is a group of people, the name of one member of the group
  • a contact phone number for each customer or visitor, or for the lead member of a group of people
  • date of visit and arrival time and departure time

In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.

Why do we collect this information

To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.

By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.

The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) – a legal obligation to which we are subject to. The legal obligation to which we are subject means that we are mandated by new regulations from the Government to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of coronavirus.

Who might we share this information with?

Maidstone Borough Council stores your information on our behalf. View the Maidstone Borough Council privacy information.

We do not transfer personal data outside the UK, or the EU.

We are responsible for the collection of your personal data, and will be responsible for compliance with data protection legislation for the period we hold your information.

When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation.

The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from us, from loss, misuse, and unauthorised access, disclosure, alteration and destruction.

What do we do with your information

If another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).

This information will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order).

Future Government guidance may also require us to provide information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number).

How long do we keep your information?

NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.

Where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.

Other information that we may be required to share will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.

How can I access information you hold about me?

By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you. These rights are not absolute, but you may contact us using the details below if you wish to exercise any of these rights.

If you wish to complain or would like to exercise your rights regarding how your information is used, you should contact the Data Protection Officer at:

Data Protection Officer
Maidstone Borough Council
Maidstone House
King Street
ME15 6JQ

01622 602000

If you are still not satisfied, you can complain to the Information Commissioner’s Office. Their website address is

Test and Trace Support Payments

Who we are?

Maidstone Borough Council, King Street, Maidstone, Kent, ME15 6JQ, t 01622 602000

Angela Woodhouse,

How do we collect information from you?

We collect information from you when you visit; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.

What types of information do we collect from you?

Name, Address, Phone number, Email Address, Health/Disability, Financial, Employment

Our legal basis for using your information is:

Compliance with a legal obligation

We will use your information to:

To process awards of Test and Trace Support Payments.

Research Statistics

Anonymised Pseudonymised data may be used for research statistical purposes. Any Data collected may be used for research and statistical purposes that are relevant and compatible with the purpose that the data was collected for.

Who has access to your information?

As part of your claim, the information you provide us with will be matched with other data held by the Council as well as third parties.

To enable us to prevent or detect crime, to protect public funds and to help protect public health your information may be shared with third parties.

The council may also share data with both internal and external organisations for the purposes of validating any applications or support you may make or have made for other council services.

We will also need to provide information to HMRC about any payments we make, as we understand that, where applicable, the payments are subject to Tax.

We may share your information with third parties for the reasons detailed above this will include but is not limited to:

  • NHS Test and Trace (CTAS)
  • DWP
  • The Police
  • Environmental health
  • Finance Team
  • Housing Department
  • Your Employer
  • HMRC
  • Immigration Service, Absconder Services and/or UK Border Agency
  • health and social care organisations
  • other local authorities

What are your rights in relation the personal data we process?

Access – you can request copies of your personal information that is held by the Council.

Rectification – you can ask us to correct any incorrect information.

Deletion – you can ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.

Portability – you can ask us to transfer your personal data to different services or to you.

Right to object or restrict processing – you have the right to object to how your data is being used and how it is going to be used in the future.

Right to prevent automatic decisions – you have to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.

How long will we keep your information for?

In line with our record retention schedule, records relating to the Test and Trace Support Payment will be kept for 6 + current years.

What security precautions in place to protect the loss, misuse or alteration of your information?

We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us.

Keeping your data up to date

We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.

Details of any automated decision processes

There are no automated decisions in this process.

Under 13s

If you are accessing online services and are aged 13 or under‚ please get your parent/guardian's permission beforehand whenever you provide us with personal information.


If you would like to make a complaint regarding the use of your personal data you can contact our Data Protection Officer; Angela Woodhouse.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO) at:

Information Commissioner's Office,
Wycliffe House,
Water Lane,

Phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Email: Information Commissioner's Office email
Website: Information Commissioner's Office website