How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
The current situation with the coronavirus pandemic has presented obvious challenges to the effective and fair operation of the Court of Protection (COP). Remote access to the COP has therefore become a necessity to ensure that hearings continue to provide proper access to justice. All parties involved in such cases have a responsibility in achieving this primary aim.
The FCA’s test case in the Supreme Court ruled overwhelmingly in favour of policyholders. However, business interruption cover generally has the prerequisite of physical damage or loss to the property (or in some circumstances, the presence of a notifiable disease at the property or within a certain radius of it), to recover losses caused by the interruption to your business. The onus is on insurers to re-assess those claims which are impacted by the Supreme Court’s judgment and to make contact with the policyholders regarding next steps. If you have not already made a claim, in the first instance the terms of any policy should be checked carefully to see whether business interruption cover is provided.
The Government announced on 22 June 2020 that it would be making provisions to enable planning permissions that have lapsed since 23 March 2020, and those that are due to lapse before the end of 2020, to be automatically extended.
The Government’s detailed proposals are set out in section 17 of the Business and Planning Act 2020, which entered the statute books on 22 July 2020. If a relevant planning permission is subject to a condition which requires the development to be begun no later than between 19 August 2020 (when section 17 of the Business and Planning Act 2020 will come into effect) and 31 December 2020, the condition is automatically deemed to instead provide that the development must be begun no later than 1 May 2021.
The Act also makes provision for any conditions requiring development to be begun between 23 March 2020 and 19 August 20202 to be extended to 1 May 2021, although this is not automatic. Where the provisions have such retrospective effect, an application is required to the local planning authority. The local planning authority are only able to grant approval, however, if they are satisfied that any EIA and habitats assessments continue to be valid. Deemed approval provisions will apply if the local planning authority do not determine any application within 28 days. The local planning authority are not able to approve such applications after 31 December 2020 so applications should be made in good time in advance of this date. There is the possibility of an appeal against the local planning authority’s decision but notice of the appeal must be submitted before 31 December 2020.
The Act includes similar provisions in relation to both detailed and outline planning permissions.
To facilitate social distancing the Home Office has stated that as of 30 March 2020, the following are permitted:
- The RTW check can now take place over video call.
- Job applicants no longer have to send original documents but can send scanned copies or photos to the employer.
- Where the job applicant cannot provide these documents, employers can use the Employer Checking Service and if they have the right to work, then the employer will receive a Positive Verification Notice which will provide the employer with a statutory excuse for 6 months.
These adjustments remain in place until the Home Office confirms otherwise.
Yes.
Workers (and agency workers) who are aware of the requirement to self-isolate and are due to work during their isolation period at a place other than their designated place (see below) must, as soon as reasonably practicable and in any event before they are next due to start work within the isolation period, tell their employer that they are self-isolating, and set out the start and end dates of their isolation period.
Clear communication to all workers about their obligation to do this is strongly recommended.