How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
On 13 March 2020 the Secretary of State for Housing, Communities and Local Government issued a Written Statement in respect of delivery restrictions.
In this respect, many supermarkets, food retailers and distribution centres in England operate under planning restrictions (conditions and/or obligations) which limit the time and number of deliveries from lorries and other delivery vehicles which can take place particularly at night primarily to protect the residential amenity of nearby residential property.
Key points in the Statement include;
- Given the exceptional challenges facing the UK from the coronavirus, it is vital that deliveries of food, sanitary and other essential products over the coming weeks can be made as quickly and safely as possible, minimising disruption to the supply chains. The likely pressures on driver capacity mean additional flexibility is needed so that retailers can accept deliveries throughout the day and night where necessary.
- That planning enforcement is discretionary and that local planning authorities should act proportionately in responding to suspected breaches of planning control.
- That local planning authorities should not seek to undertake planning enforcement action which would result in unnecessarily restricting deliveries of food and other essential deliveries during this period having regard to their legal obligations.
The Statement acknowledges that the increased frequency of deliveries particularly at night could have a temporary impact on residents. It therefore concludes that the Government will review the need for the flexibility outlined in the Statement after the pressure from the coronavirus has reduced and that it is the intention to withdraw it once the immediate urgency has subsided.
A link to the Written Statement is below.
Ordinarily, no but during the pandemic, yes.
You can start employing a Tier 2 or 5 worker who is in the UK before their visa application has been decided if the following conditions have been met.
- You have assigned the worker a Certificate of Sponsorship
- They have made an in time visa application (i.e. they made their new visa application before their current leave expired) and they have provided you with evidence of this
- The job you employ them in is the same as the one stated on their Certificate of Sponsorship.
Sponsors should be aware that they should carry out right to work checks before the individual starts undertaking work for them and if their visa application is eventually rejected, they must stop employing them.
Although sponsors will not be able to record migrant activity on the SMS about these workers, the Home Office has confirmed that any necessary reports should still be made on the sponsor’s internal systems.
If the worker is outside the UK, they may be able to start work for you remotely subject to the relevant employment, tax and immigration requirements in that country.
We don’t recommend this. Status determination statements must be issued before 6 April 2021 for current engagements and the appropriate deductions are to be made on payments for services carried out on or after 6 April 2021.
Yes: The Cabinet Office has published a number of Procurement Policy Notes to provide instructions to Public Bodies to enable payments to continue to be made to at risk suppliers (and their supply chains) who have been affected by Covid-19. Copies of this guidance can be obtained from the Government website at: https://www.gov.uk/government/publications/procurement-policy-note-0220-supplier-relief-due-to-covid-19
Unfortunately, losses caused by pandemics are not often covered expressly under standard policies, as the risk has been difficult for insurers to price and understand.
Even where additional cover in respect of notifiable diseases has been purchased, it typically will not include Covid-19 within the range of diseases covered by the policy. If the policy includes a list of notifiable diseases, and which does not include Covid-19, it is very unlikely that cover will be available for pandemic-relates losses.
The most common types of covers that could be afforded by insurance policies for coronavirus-related losses and liabilities are traditional business interruption insurance, contingent business interruption insurance, liability insurance, as well as cancellation and abandonment insurance.