How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
Employees who are union or non-union representatives may undertake duties and activities for the purpose of individual or collective representation of employees or other workers. However in doing this, they must not provide services to or generate revenue for, or on behalf of your organisation or a linked or associated organisation.
Employees who are pension scheme trustees or trustee directors of a corporate trustee may also undertake trustee duties in relation to the pension scheme. However, a professional, independent pension scheme trustee who has been furloughed by the independent trustee company cannot undertake trustee work that would provide services to or generate revenue for, or on behalf of, the independent trustee company or any organisation linked or associated with that independent trustee company during hours when they are recorded as being on furlough.
Despite remote hearings being the default position at present, formal permission will still be required by the court and a template order was circulated with the guidance. This template sets out the relevant directions and recitals to include in your order. An application to the COP for a remote hearing will not be required.
The CMA is the government body that is responsible for protecting consumers from unfair trading practices. It has announced programme of work to investigate reports of businesses failing to respect cancellation rights during the Coronavirus pandemic.
Based on the complaints received by them from consumers, the CMA has identified three sectors of particular concern:
- Weddings and private events
- Holiday accommodation
- Nurseries and childcare providers
The CMA has expressed concern about the number of complaints that it has received about businesses seeking to retain deposits for cancelled events, undue restrictions being placed on use of vouchers provided for cancelled bookings, and payments being demanded to hold open nursery places.
The CMA has said it will prioritise investigation of these sectors, and then move on to other sectors.
Conduct risk assessments! Your RA must cover every foreseeable risk arising from a return to the workplace, including the impact of reduced staff levels and any operational/administrative changes necessary to ensure social distancing.
Appropriate steps should be taken to manage and mitigate identified risks. Where this is not possible, businesses need to decide whether certain activities are necessary for the business to operate or if they can be temporarily put on hold.
Keep a close eye on the comprehensive Government guidance: https://www.gov.uk/guidance/working-safely-during-coronavirus-covid-19
In particular focus on social distancing and workplace health measures. This guidance will evolve over time and you will need to be sure that your organisation is sticking to it AND reviewing and updating its risk assessment.
- Do not require them to work
- Continue to communicate with and support them
- Allow them to work from home, is there alternative work for them to do if they can’t do their work from home
- Offer SSP or allow them to take holiday if they want to.