COVID-19 privacy statement

We keep this privacy notice under regular review and it was last updated on 24 January 2022.

Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice is supplemental to our corporate privacy statement, and will inform you as to how we will process, share and look after your personal data in response to and during the COVID-19 (coronavirus) pandemic. This privacy notice will be kept under review as the pandemic develops.

Who we are

For information about who we are, please read our corporate privacy statement.

The personal information we collect and use

Information collected by us

In the course of responding to the COVID-19 (coronavirus) pandemic and providing you with the support you need, the personal information we will collect about you will include:

  • name
  • contact details e.g. phone number or email address
  • household composition
  • address
  • postcodes
  • date of birth
  • age
  • NHS number
  • financial information
  • gender
  • carer status.

We will also collect ‘special category data’ (personal data which is more sensitive and is treated with extra care and protection) about:

  • your health
  • your ethnicity
  • care
  • your support needs
  • if you have tested positive or negative for COVID-19
  • if you have been vaccinated.

We will obtain personally identifiable data from other sources in order to identify people who are vulnerable to the coronavirus, may require support as a result of the coronavirus or meet eligibility to be prioritised for vaccination based on the priority groups set by the Joint Committee on Vaccination and Immunisation. This includes personal information about individuals who do not meet our normal support criteria, but have had their normal support from family or friends reduced or interrupted.

We will obtain information from:

  • Government Digital Service (this may include data from the NHS and other departments)
  • providers of care homes, nursing homes and domiciliary care services
  • district and borough councils
  • voluntary and carer organisations
  • Public Health England
  • Kent and Medway Clinical Commissioning Group.

How we use your personal information

We will use your personal information to:

  • identify and record people who may be vulnerable to the coronavirus or otherwise require support during the pandemic
  • deliver the Vulnerable Patient Service (whereby we will receive information from the NHS’ Vulnerable Patient List in order to coordinate care provision for persons identified as vulnerable in relation to COVID-19, and in accordance with the online form submitted by the user, for food, medicine, medical, health and/or mental health support)
  • understand COVID-19 and risks to public health
  • understand information about patient access to health services and adult social care services and the availability and capacity of those services or that care
  • monitor and manage the response to COVID-19 by health and social care bodies and the government, including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
  • for research and planning in relation to COVID-19
  • support the delivery of the COVID-19 Vaccination Programme
  • control and prevent the spread of COVID-19
  • support NHS Test and Trace by providing a local contact tracing service in Kent. Read the privacy notice for the Kent Local Tracing Partnership.
  • deliver services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of healthcare and adult social care services.
  • schedule appointments for symptom-free COVID-19 tests. More information on how your data is used for this purpose is available to read here.
  • help update and inform pre-admission COVID-19 testing status for hospital admitted patients.

This list may change depending on the needs of the response efforts. However, any use of data will be proportionate and necessary for the delivery of those efforts.

Reasons we can collect and use your personal information

We rely on the following as the lawful bases on which we collect and use your personal data:

  • ‘Vital Interests’ (the processing is necessary to protect someone’s life), Article 6(1)(d)
  • ‘Public Task’ (the processing is necessary to perform a task in the public interest or for our official functions), Article 6(1)(e). The legislation which underpins this lawful basis includes:
    • Care Act 2014
    • Children’s Act 1989
    • Health and Social Care Act 2012
    • Homelessness Reduction Act 2017
    • Localism Act 2011
    • Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002

Additionally, for the collection and use of special category data during the pandemic, we rely on the following legal bases:

  • It is necessary for the purposes of carrying out obligations in the field of social protection law, Article 9(2)(b) GDPR (along with the accompanying condition in the Data Protection Act 2018 as set out in Schedule 1, condition 1).
  • It is necessary for reasons of substantial public interest, Article 9(2)(g) GDPR (along with the accompanying condition in Schedule 1 of the Data Protection Act, i.e. for statutory and government purposes, or for the safeguarding of children and individuals at risk).
  • It is necessary for reasons of public interest in the area of public health, Article 9(2)(i) GDPR. (along with the accompanying condition in the Data Protection Act 2018 as set out in Schedule 1, condition 3).
  • It is necessary for the provision of health and social care, Article 9(2)(h) GDPR (along with the accompanying condition in the Data Protection Act 2018 as set out in Schedule 1, condition 2.
  • It is necessary for the protection of vital interests, Article 9(2)(c) GDPR.

How long your personal data is kept

Some of the information being used will already be held by us and will be kept in line with our retention schedules (PDF, 4.0 MB).

However, we will be collecting new information as a result of the response to the pandemic. We will not keep this information for any longer than necessary. We do not yet know how long the pandemic will continue for, so the requirement to keep this information will be kept under review.

Who we share your personal information with

We are working with partners and organisations locally and nationally to make sure we deliver a co-ordinated and good service to you. We will share personal information where it is necessary and proportionate in responding to the pandemic and providing you with care and support. We will, where applicable, share your personal information, including health information, with the following:

  • community hubs
  • NHS Trusts
  • hospitals
  • GPs
  • district and borough councils
  • social care providers
  • voluntary organisations and any other providers where we feel they can help meet your service needs.

This is not an exhaustive list and may change as the situation with the pandemic does. We will only share the minimum information necessary for the purpose. Please also refer to the main corporate privacy statement for further examples of third parties who we may need to share your information with, if appropriate and necessary.

Your rights

For information on how to exercise your rights, please refer to the corporate privacy statement.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We will ensure appropriate data sharing arrangements are entered into with organisations with whom we are regularly sharing data.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.


For information on who to contact if you wish to exercise any of your rights or have a complaint about how your personal data has been used, please refer to the corporate privacy statement.

The council is identifying alternative ways of delivering its services during the pandemic, for example, replacing face-to-face visits with telephone or video-conferencing. You will be provided with a more specific privacy notice by those services, where relevant. You can also refer to other service specific privacy notices via our corporate privacy statement.