How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
On 25th June 2020, the Corporate Insolvency and Governance Act, among other things, introduced new restrictions on suppliers of goods and services to terminate the contract in the event that the customer enters an insolvency process. This has very important consequences for many businesses as it could expose them to greater financial risks.
The only potential negatives are the potential for MHFAs to become overloaded, or for MHFAs to overstep the boundaries of their role. Both would be avoided if a suitable framework is in place around them, and if adequate ongoing support and training is provided.
The BBC
The national broadcaster’s collated content surrounding the Covid-19 pandemic:
https://www.bbc.co.uk/news/coronavirus
and with regards to business:
https://www.bbc.co.uk/news/business
You had until 23 April 2020 to submit your return in order to be considered for eligibility.
Normally, once you have submitted the online visa application and paid the fee, you have to attend an appointment to enrol your biometrics and verify your passport within 45 days. This requirement has been relaxed due to the visa application centres being closed.
Now that application centres have mostly reopened, you must book and attend an appointment to complete the application process. However, the Home Office has recently introduced the IDV app which allows applicants who previously gave their fingerprints as part of a previous application since July 2015, to upload a photo electronically. There will then be no need to attend a Visa Application Centre to submit their biometrics. Applicants who are eligible to use this electronic option will be contacted by UKVI.