How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
The Chief Coroner supports the position, communicated by NHS England and the Chief Medical Officer that Covid-19 is an acceptable direct or underlying cause of death for the purposes of completing the Medical Certificate of Cause of Death (MCCD) and is considered a naturally occurring disease. This cause of death alone is not a reason to refer a death to a coroner under CJA 2009.
If the cause of death is believed to be due to confirmed Covid-19 infection, there is unlikely to be any need for a post mortem to be conducted and the MCCD should be issued, and guidance is given on how this is delivered to the Registrar in the event of the next of kin/informant being in self-isolation.
In a hospital setting the MCCD process should be straightforward because of diagnosis and treatment in life. This may be more complex in a community setting. The Coronavirus Act 2020 however expanded the window for last medical review from 14 to 28 days. Outside of this, the death will need to be reported to the coroner.
Although Covid-19 is a naturally occurring disease, there may be additional factors around the death which mean it should be reported to the coroner; for example, the cause of death is unclear, or where there are other relevant factors. Guidance is given to coroners on how to manage such reported deaths, particularly where post mortem examinations may not be readily availability.
Read more about thisIt is envisaged that employees of organisations falling into the first two categories set out above and won’t be eligible for the job retention scheme in relation to the majority of their employees. It is envisaged that NHS Trusts for example are going to require their staff to be working at full capacity where possible. However, the guidance doesn’t definitely exclude public sector organisations from furloughing employees and notably the government expects such organisations to use public money to continue to pay staff and not furlough them, rather than say requires. In reality, it is difficult to see how such an organisation will be able to rely on the scheme, but the guidance doesn’t completely rule it out.
Read more about thisCompanies House guidance on the impact of coronavirus on their services can be found at: https://www.gov.uk/guidance/coronavirus-guidance-for-companies-house-customers-employees-and-suppliers
This flexibility offered by Companies House could be a useful short-term help to businesses that are struggling to deal with the impact of the Covid-19 outbreak, but be sure to take action in advance of your filing deadline.
Read more about thisIf the business has areas requiring an increased workforce whilst others require a reduced workforce, staff can be retrained and redeployed across the organisation or even across a wider group of companies. This will not reduce the wage bill but will avoid the need for redundancies. Making fundamental changes to an employee’s role and duties will require their agreement following a fair selection and consultation process.
Read more about thisA common feature of corporate acquisitions is that part of the consideration is paid on deferred terms or by way of earn out over a period of years following completion. Where deferred consideration is payable, this is either on the basis that outstanding payments will be made on scheduled dates or, less usually, subject to certain agreed (typically financial) objectives being met. These objectives almost always relate to a period before completion of the deal and are dealt with as part of a completion accounts mechanism.
Read more about this