Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

What are the minimum consultation time limits?

Where an employer is proposing to dismiss:

  • 100 or more employees at one establishment within a 90-day period, consultation must begin at least 45 days before the first dismissal takes effect
  • Between 20 and 99 employees within a 90-day period, consultation must begin at least 30 days before the first dismissal takes effect
  • If you are proposing to dismiss less than 20 employees then there are no minimum time limits but you must adhere to a fair process which will involve individual consultation and providing the employee with a right of an appeal

Last updated on 7th May, 2020

When does Flexible Furlough start?

The Flexible Furlough Scheme was introduced from 1 July 2020 and is due to come to an end on 30 September 2021.

Last updated on 16th June, 2020

Unpaid leave and sabbaticals

Employees will be reluctant to take unpaid leave or a sabbatical but when faced with the alternative prospect of redundancy may give it some serious consideration. This would remove the cost of that employee from the employer’s business for an agreed period of time. This is an option which can be offered to employees but again, imposing it without agreement creates significant risk.

Last updated on 6th May, 2020

VIDEO: In conversation with cashflow.co.uk expert Chris Silverwood about CBILS

Partner at Ward Hadaway Adrian Ballam talks to corporate finance expert and CBILS specialist Chris Silverwood (CorpFin and cashflow.co.uk) to explore the practical ins, outs, dos and don’ts of CBILS applications, answering the questions:

  1. How are banks making their assessments of whether a business can afford a CBILS loan when for many they cannot accurately forecast their revenues for at least the next three months?
  2. What are the red flags that banks are looking for when assessing whether or not to grant a request for a CBILS loan?
  3. What cost mitigation measures should a business have already implemented prior to applying for a CBILS loan?
  4. What level of information should a business provide to support a CBILS application?
  5. What common mistakes are businesses making when applying for funding?
  6. What general tips do you have for businesses seeking CBILS funding?

Click read more to view the video.

Last updated on 22nd April, 2020

What has been the response from the Competition and Markets Authority (CMA)?

The CMA is the government body that is responsible for protecting consumers from unfair trading practices. It has announced programme of work to investigate reports of businesses failing to respect cancellation rights during the Coronavirus pandemic.

Based on the complaints received by them from consumers, the CMA has identified three sectors of particular concern:

  • Weddings and private events
  • Holiday accommodation
  • Nurseries and childcare providers

The CMA has expressed concern about the number of complaints that it has received about businesses seeking to retain deposits for cancelled events, undue restrictions being placed on use of vouchers provided for cancelled bookings, and payments being demanded to hold open nursery places.

The CMA has said it will prioritise investigation of these sectors, and then move on to other sectors.

Last updated on 7th May, 2020