Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

How is the Pensions Regulator reacting to the crisis?
  • The Pensions Regulator has published regularly-updated guidance for employers.
  • It will take “a proportionate and risk-based approach towards enforcement decisions … with the aim of supporting both employers and savers”. In other words, the law remains the same, but the Regulator will show restraint in enforcement against breaches.

Last updated on 14th April, 2020

What questions/factors should you look at to determine whether your procedure/policy in respect of MHFAs is or isn’t working?

It really depends on what your measure of success is! We would suggest regular wellbeing surveys – if the results of wellbeing surveys suggest that the culture is becoming more open, more psychologically safe, if people are asking for help or referring colleagues to MHFAs as a safe and effective pair of hands – these would be strong indicators of success.

Last updated on 8th April, 2022

Who is responsible for planning in the event of an excess of deaths?

In the unfortunate event that there will be a significant number of deaths, planning will fall to the local resilience forum; which includes all relevant local organisations and statutory bodies, who will have prior experience in working in excessive death scenarios.

It is for the coroners to ensure that they are familiar with the local resilience forum plans and discussions required. This will include issues regarding storage capacity and post-mortem examination capacity.

Last updated on 31st March, 2020

What other options are there to reduce employment costs?

If you don’t want to make redundancies, or if you can’t reduce employee resource, either in a particular department or across the workforce as a whole, then you need to think about alternatives to redundancy.

Equally, you may want to flex the resource you have available to you – without making drastic changes.  For example you may want to consider:

  • unpaid leave and sabbaticals
  • retraining and redeploying
  • forcing annual leave
  • flexible working
  • capability issues
  • lay off
  • short time working
  • reductions in salary
  • reductions in working hours
  • changing to shift working

Last updated on 6th May, 2020

What does “Force Majeure” mean?

Crucially the phrase “force majeure” has no specific meaning in English law. As a result, there is scope for complex legal argument, including as to whether the effects of the coronavirus outbreak can amount to force majeure in the first place. If the coronavirus crisis deepens, force majeure provisions could become relevant in the following ways:

  • suppliers to your business might seek to invoke force majeure
  • you may need to invoke force majeure under your own contracts

Each of these will need careful analysis of the relevant contract against the applicable factual background. Unfortunately, the position is unlikely to be clear cut.

Last updated on 27th March, 2020