How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
We have teamed up with Scaleup North East to help companies impacted by the coronavirus outbreak plan how to get back to business.
Our specialist lawyers will provide a free “diagnostic” call with eligible businesses across the NE, exploring challenges they are facing in the aftermath of the lockdown, and identify specific steps to survive, and then thrive, in these challenging times and beyond.
Through the collaboration with Scaleup North East, eligible North East-based SMEs are then able to apply for up to 40% funding towards up to £4,000 of legal advice.
These might include:
- Employment issues, such as dealing with a phased return to work
- Measures to support cash-flow, such as amendment to terms of trading and debt collection procedures
- Renegotiations and amendments to contracts, and other advice about contracts with suppliers and customers to deal with consequences of Covid-19
- Managing property costs – review of leases, advice on break clauses and formalisation of any revised arrangements recently put in place with landlords/tenants
- Health and safety implications of return to work and social distancing
Find out more on our website or contact partner Damien Charlton. If you are not eligible because of location but are interested in the free “diagnostic”, please contact us.
Yes, but your claim will be limited to any enhanced contractual payments you make to employees who qualify for the relevant family related pay.
All maternity and parental rights remain in force for anyone in this category who is furloughed. However you may need to calculate average weekly pay differently if the employee was furloughed and then started family related leave on or after 25 April 2020.
Furlough pay cannot be claimed for the period that an employee is receiving Maternity Allowance. An employee can agree to accept furlough pay but they must contact Jobcentre Plus to stop their Maternity Allowance payments for this period.
Although these measures fall short of the level of assurance given to employees both in terms of eligibility for an immediacy of access to payments, they are a vast improvement on the support for self-employed workers that has been put in place until now. Current support includes:
- Access to business interruption loans
- Self-assessment tax payments that were due in July 2020 have been deferred until January 2021
- VAT is deferred until the next quarter
- The introduction of Time to Pay arrangements under which deferrals for HMRC payments can be agreed
- The minimum income floor for universal credit has been suspended which will allow self-employed workers to access the equivalent of Statutory Sick Pay (SSP)
- Universal credit and tax credit payments to increase by £1000 per year
The now defunct Guidance for the Tier system suggested that the clinically extremely vulnerable would be treated in the same way as those who were shielding in Lockdown 1. This means that anyone who is clinically extremely vulnerable and cannot work remotely, will be entitled to SSP. These employees should receive a letter confirming that they are deemed to be clinically extremely vulnerable/shielding and you should ask for a copy of it as evidence to support a claim for SSP. It is likely that the Lockdown 3 Guidance will be the same.
You could also furlough an employee in the clinically extremely vulnerable category. Again we do not anticipate this changing.
That will depend on the terms of your facility and the stance taken by your bank.
Banking facilities often place obligations on businesses to stick to certain financial criteria. For example, an obligation to keep turnover or profit above certain levels or a commitment to keep the bank’s exposure within an agreed percentage of the value of the company’s assets (known as loan to value ratio).
The consequences of breaching those covenants will depend on the terms of your facility, but normally this amounts to an event of default. Events of default can result in the loan (or whatever form the facility takes) becoming repayable and could give the bank certain powers to take action to recover the money that they are owed.
Whether the bank will take action during these unprecedented times is another matter, particularly given the extent of support being offered to businesses via mainstream lenders and the political desire to keep viable businesses up and running. Lenders themselves will no doubt wish to remain supportive where possible. The underlying performance of the business (and whether but for the effects of Covid-19 it would have been in a healthy financial position), the relationship you have with the bank and your history with them will no doubt be relevant to the approach taken by the bank. However, early engagement with your bank (as well as other key stakeholders in the business) will be important.