How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
The Cabinet Office has published a useful Procurement Policy Note (“PPN”) on relief available to suppliers due to Covid-19 (available here). In brief, you should not be penalised by a public sector body, if, in the current circumstances, you are unable to comply (fully or partly) with your contractual obligations. Public sector bodies are expected to work with suppliers and, if appropriate, provide relief against current contractual terms. This is in order to maintain business and service continuity and avoid claims being accepted for other forms of contractual relief, such as the occurrence of a force majeure event.
The types of relief that may be available to suppliers to the public sector will depend on the existing contracts in place. Some contracts may have a payments by result mechanism, whereas others may be based on certain key performance indicators (KPIs) being met. Other contracts may not include any such mechanisms and therefore it will be a matter for discussion between suppliers and the public sector body.
The PPN provides that, rather than a supplier seeking to invoke a clause that would permit the supplier to suspend performance of its obligations (such as a force majeure clause), public sector bodies should first work with the supplier to amend or vary the contract. Any changes should be limited to the particular circumstances and considered on a case-by-case basis. Changes could include:
- Amending the contract requirements
- Varying timings of deliveries
- Relaxing KPIs or service levels
- Extending time for performance (e.g. revising a contract delivery plan), and/or
- Preventing the public sector from exercising any rights or remedies against the supplier for non-performance (e.g. liquidated damages or termination rights).
These should only be temporary variations and the contract should return to the original terms once the impact of the Covid-19 outbreak on the contract has ended. Discussions with the public sector body about any changes that are agreed should be documented, in a variation signed by both parties.
A public sector may also need to take account of regulation 72 of the Public Contract Regulations 2015, to ensure that any changes to a contract (even of a temporary nature) do not trigger a requirement to conduct a new tender process. Whilst this may be unlikely to be the case with temporary variations, suppliers should still bear this in mind when discussing any changes to a contract with a public sector body.
If you are a supplier to a public sector body and you are currently struggling to meet your contractual obligations, we recommend that you take legal advice as to whether it might be possible to take advantage of the flexible approach that the PPN requires public sector bodies to adopt – it could be that you can avoid service credits or other financial deductions, or the need to serve formal notices such as “force majeure” or other relief notices.
Employers who have apprentices on fixed-term contracts due to end during the pandemic should discuss arrangements with the apprentices including whether an extension to the contract can be offered to allow them to complete their apprenticeship.
You had until 23 April 2020 to submit your return in order to be considered for eligibility.
Yes: The Cabinet Office has published a number of Procurement Policy Notes to provide instructions to Public Bodies to enable payments to continue to be made to at risk suppliers (and their supply chains) who have been affected by Covid-19. Copies of this guidance can be obtained from the Government website at: https://www.gov.uk/government/publications/procurement-policy-note-0220-supplier-relief-due-to-covid-19
Hosted by Advanced Manufacturing Forum, Partner, Matt Cormack discussed in this webinar how to avoid risks associated with your customer and supply chain contracts during this challenging Covid-19 period.
The webinar covers common questions such as:
- Can force majeure excuse me or my suppliers from paying on time?
- What are the risks to my business if I can’t perform on time due to Covid-19?
- What will happen to my contracts if the Government takes steps to require me to close down my facility?
To watch the full recording, please click here. (To note the recording begins at 10 minutes)
If you have any follow up questions, please do not hesitate to contact one of our lawyers detailed below or use our ‘ask us a question‘ feature.