How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
Employers will need to be flexible with employees who are unable to return to work at present due to childcare difficulties. While schools have reopened, a period of isolation may result in employees having to keep children off school/nursery and therefore have childcare issues. Some employees will be able to manage this with their partner and extended family, whereas others will not. Where an employee simply cannot make any other arrangements to care for their children in the short term then they will be unable to return to work until that situation changes. Any dismissals on the basis that someone is unable to return to work as a result of lack of childcare are likely to be unfair, at least in the short term where such employees may well be able to demonstrate that they had no options available to them.
Where one or more of the parties is represented, responsibility for making the arrangements for the remote hearing will fall on either the applicant or the first represented party. If no party is legally represented, the court office will contact the parties to explain that the hearing will be held by telephone conference and will send them instructions on how this is to be achieved.
All remote hearings must be recorded. The responsibility for arranging the recording will be addressed on a case by case basis.
Changing to shift working may give employers the opportunity to change hours / pay whilst also focusing work when it is needed. Like the other provisions, this should be done fairly, either across the board or by selecting teams/individuals based on objective business reasons. Imposing without agreement would create significant risk, therefore would require fair selection and consultation.
Some commercial tenants have queried whether the current situation is a force majeure which may allow it to terminate the lease. Clauses which allow a party to terminate a lease for a force majeure event or, to put it another way, an “act of God”, are however extremely rare in modern commercial leases. Even if there is such a provision in your lease, it would need to be drafted to apply to an outbreak of disease.
On 2 April 2020, the Government issued guidance relating to Private Finance Initiatives and PF2 Projects. The guidance, which is to be enforced with immediate effect (currently due to stay in place until 30 June 2020), is one of several guidance notes issued to date.
A link to the guidance is set out below:
Key messages to contracting authorities
- PFI contractors should very much consider themselves as being part of the public sector response to the current pandemic
- Covid-19 is not regarded as, and is not to be classified as a force majeure event
- PFI contractors must ensure that contingency plans are up to date and have been reviewed and discussed with contracting authorities to enable the continuity of full services to respond to the pandemic and maintain vital public services
- Contracting authorities should work closely with PFI contractors to use all available options to maintain public services during the emergency period
- Local arrangements should be made where PFI contractors can’t deliver the agreed requirements and performance standards
- “Best efforts” should be made by all parties for the continuation of service provision