How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
Whilst many employees may now have the resources and equipment to work from home, an employee may struggle to effectively work from home for a number of reasons. For example, an employee may not have a suitable working environment where they can work without being disturbed or alternatively, working from home for prolonged periods of time may be having a detrimental impact on the employee’s mental well-being.
In circumstances such as these, employers must carry out a careful assessment. Unfortunately, there is not any specific guidance as to when an individual cannot ‘reasonably’ work from home – it is likely that each case will be fact specific.
In relation to employees who are struggling with their mental well-being, employers owe their employees a duty of care. It is crucial that procedures are in place which will enable an employer to recognise the signs of stress as early as possible. In the circumstances, it may be appropriate to allow an employee to attend their place of work if this would help alleviate work-related stress or to prevent mental health issues.
The new rules for wearing face masks/face coverings in the workplace introduced on 23 September 2020 are as follows:
- Staff in retail, including shops, supermarkets and shopping centres, will now have to wear a face covering
- Staff in hospitality will now have to wear a face covering
- Guidance stating that face coverings and visors should be worn in close contact services, such as hairdressers and beauticians, will now become law
- Staff working on public transport and taxi drivers will continue to be advised to wear face coverings
You can take off your mask if:
- You who need to eat, drink, or take medication
- A police officer or other official asks you to
No. No action need be taken in relation to the demand but we would advise against presentation of a petition based upon any Statutory Demand issued between 1 March 2020 and the end of the restrictions. As you may be aware, with Winding Up there is no requirement to issue a Statutory Demand notice before proceeding so this is unlikely to create too many issues – click here to see whether you should issue petitions on other grounds.
There is nothing to prevent statutory demands being served at this time. However, there may be limited benefit as it cannot form the basis of a future winding up petition.
Yes. The system for Probate Applications has moved on-line and continues to be available as well as by post. However, if you need to complete an Inheritance Tax Return IHT400 you are likely to experience problems collating information due to delays in many organisations being able to provide you with current values while their offices are closed and staff working remotely. Property valuations will be particularly problematic where surveyors or valuers are unable to attend properties to undertake non-urgent work. If you cannot wait, you must use your best endeavours to be as accurate as possible as regards the information you provide in the IHT400 and follow up by providing HMRC with actual values as soon as you can do so. HM Courts and Tribunal Service is however warning that delays can be expected at this time.
This guidance from the Chief Coroner applies to reports of death and coroner investigations in England and Wales. It is to assist coroners in continuing to exercise their judicial decisions independently, in accordance with the law, and during the extraordinarily pressured events being faced at present.