How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
It is possible to review working arrangements for contractors before the new rules come into effect. This will require immediate action.
You could consider terminating current contracts and entering into new terms that reflect working arrangements for a self-employment arrangement.
Another possibility is encouraging contractors to abandon the PSC model and provide services under a compliant umbrella company.
In the event of a determination of employed status you should seek to enter new terms that at the very least reflect the new tax arrangements .
The government released further clarification on the Coronavirus Job Retention Scheme on 4 April. The wording referred to concerning public sector organisations and organisations receiving public funding remains the same.
The revised guidance does provide a helpful insight into how HMRC will deal with applications made to it for assistance under the scheme. It appears that there won’t be a particularly forensic approach adopted by HMRC. The guidance says you can furlough staff if you cannot maintain your current workforce because your operations have been severely affected by coronavirus.
It goes on to say that all employers are eligible to claim under the scheme and the government recognises different businesses/organisations will face different impacts from coronavirus. The need to demonstrate the impact of coronavirus on your business/organisation is not one of the criteria businesses/organisations are going to need to satisfy, so the government does not appear to intend to set a specific test to determine if a business/organisation is “severely impacted by coronavirus”. It is hoped that this should provide additional comfort to publicly funded organisations facing significant restrictions to their operations during the Covid-19 crisis.
In the unfortunate event that there will be a significant number of deaths, planning will fall to the local resilience forum; which includes all relevant local organisations and statutory bodies, who will have prior experience in working in excessive death scenarios.
It is for the coroners to ensure that they are familiar with the local resilience forum plans and discussions required. This will include issues regarding storage capacity and post-mortem examination capacity.
On 7 May the Government published guidance on how contracting parties can act responsibly in order to assist the effort to deal with Covid-19. The guidance seeks to persuade contracting parties to act reasonably and recognise the impact of Covid-19 on contractual counterparties. This will continue to be relevant as business begins to emerge from lockdown.
The Office of the Public Guardian is continuing to accept applications to register Lasting Powers of Attorney but their usual estimated timescale of eight to ten weeks is likely to be affected by the current situation.
Consequently, an alternative or interim measure if you need something quickly is to execute a General Power of Attorney to authorise someone to act as your Attorney to undertake day to day financial transactions for you. The General Power of Appointment only needs to be executed by you in the presence of a witness (not the Attorney) to be valid and does not need to be registered with the Court of Protection. However, the Power of Attorney would cease to have effect if you become incapable of managing your affairs. It should be seen as a stop-gap only.