How is the Pensions Regulator reacting to the crisis?

The NHS Test and Trace service is operated by the NHS in England to track and help prevent the spread of COVID-19. Where an individual displays symptoms of coronavirus they can be tested to determine whether or not they have the disease. Those with the disease will then be contacted by NHS contact tracers and asked who they have come into close contract with.
Close contact is defined as:

• Face to face (within 1 metre)
• Spent more than 15 minutes within 2 metres of another person
• Travelled in a car or on a plane with another person

The contact tracer will then contact those people with whom the individual has come into close contact and tell them to self-isolate for 14 days.

Although these measures fall short of the level of assurance given to employees both in terms of eligibility for an immediacy of access to payments, they are a vast improvement on the support for self-employed workers that has been put in place until now. Current support includes:

• Access to business interruption loans
• Self-assessment tax payments that were due in July 2020 have been deferred until January 2021
• VAT is deferred until the next quarter
• The introduction of Time to Pay arrangements under which deferrals for HMRC payments can be agreed
• The minimum income floor for universal credit has been suspended which will allow self-employed workers to access the equivalent of Statutory Sick Pay (SSP)
• Universal credit and tax credit payments to increase by £1000 per year

• Trusts should allow for telephone advice rather than face-to-face review from critical care when clinically appropriate.
• Hospitals should discuss the sharing of resources and the transfer of patients between units, including units in other hospitals, to ensure the best use of critical care within the NHS.

Please note, the above is intended to provide a summary of the key recommendations which emerge from this guidance. Access to the full guidance can be found here.

Whilst it is acknowledged that doctors may be working in unfamiliar circumstances or surroundings, or in clinical areas outside their usual practice. Doctors should consider the best course of action to take in these circumstances by utilising the following:

• What is within their knowledge and skills
• What support other members of the healthcare team could offer
• What will be best for the individual patient given available options
• The protection and needs of all patients they have a responsibility towards
• Minimising the risk of transmission and protecting their health.

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

• Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
• Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
• Only use the information for the purpose of managing the workforce during the pandemic.
• Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
• Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
• Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
• Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
• Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
• Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
• All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.