How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
A common feature of corporate acquisitions is that part of the consideration is paid on deferred terms or by way of earn out over a period of years following completion. Where deferred consideration is payable, this is either on the basis that outstanding payments will be made on scheduled dates or, less usually, subject to certain agreed (typically financial) objectives being met. These objectives almost always relate to a period before completion of the deal and are dealt with as part of a completion accounts mechanism.
Government guidance is that public transport should be avoided wherever possible. Transport providers will be expected to follow government guidance to make their services more COVID-19 secure.
IR35 is an anti-tax avoidance regime which is intended to tackle (in HMRC’s view) the long standing issue of individual contractors providing their services or labour via an intermediary – which is usually a personal service company (referred to as a PSC). We’ll talk about PSCs here, but there are other types of intermediaries that are caught.
HMRC’s view is that this arrangement is often considered to be disguised employment and therefore a tax-avoidance arrangement.
So IR35 is essentially a test of employment status – and if, once you apply the test, the contractor should be an employee, they should then be taxed as an employee.
At the discretion of the lender, the Scheme may be used for unsecured lending for facilities of £250,000 and under.
Lenders were required to demonstrate lending additionality (i.e. lending that without the Scheme, wouldn’t have otherwise taken place). The Scheme has been extended to those businesses who would have previously met requirements for a commercial facility and would not have been eligible for CBILS. As a result it is suggested that all viable small businesses affected by Covid-19, and not just those unable to secure regular commercial financing, will now be eligible should they need finance to keep operating.
Primary Residential Property cannot be taken as Security under the Scheme. If the lender can offer finance on normal commercial terms without the need to make use of the Scheme, they will do so.
One of the key legislative requirements of EMI is that the employee satisfies the working time requirement, which is that they work at least 25 hours per week in the company or, if less, 75% of the employee’s total working time. If the working time requirement ceases to be met, then there is a “disqualifying event”. That means that the tax benefits of EMI ceases. It may also mean that the option lapses, but that depends on the specific terms of the option.
An employee who has been furloughed is by definition no longer working 25 hours/week and therefore on the face of it, there is a disqualifying event. However, the Government has tabled an amendment to the Finance Bill currently going through Parliament providing in effect that time not worked because an employee has been furloughed counts as working time, both for determining whether the working time requirement is met initially and whether there is a disqualifying event. Provided this amendment is enacted, this should address the issue.