How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
Where a development is considered to be “EIA development” (being development where an Environmental Impact Assessment or Environmental Statement is required to be submitted) there are additional statutory publicity and notice requirements over and above the requirements for a standard planning application. Regulations usually require that the environmental statement is to be made available for inspection by the public at all reasonable hours at an address in the locality for a period of at least 30 days. Copies of the environmental statement are also to be made available for people to take away from that address. This clearly requires physical copies to be available at a specified location for a prolonged period of time, which may prove problematic during the current health crisis.
New regulations came into effect on 14 May 2020 which will temporarily suspend the above requirements and will instead require the Environmental Statement to be available for inspection online. The applicant must however provide a certificate to the Local Planning Authority stating what steps have been undertaken to bring the application (and the Environmental Statement) to the attention of people who are likely to have an interest and why it considers that such steps were reasonable.
If an employee is self-isolating (as a result of the pandemic) they may be entitled to SSP. Employers should not furlough employees in this category just because of their absence, but they can furlough if there are genuine business reasons for doing so and other eligibility requirements are met. In these cases the employees should no longer receive sick pay and they would be classified as furloughed.
The guidance has specified that those on long term sick leave or who are ‘shielding’ for 12 weeks in line with public health guidance can also be furloughed. But it is important that you clarify that they do fall in the category of extremely vulnerable (https://www.gov.uk/government/publications/guidance-on-shielding-and-protecting-extremely-vulnerable-persons-from-covid-19). It is up to employers to decide whether to furlough employees who are shielding or on long-term sick leave.
You can claim from the CJRS and also for the two week SSP rebate scheme (see below) for the same employee but not for the same period of time. Therefore if you have a furloughed employee who becomes ill and you subsequently move them to SSP you cannot claim the furlough rate of pay. If you keep the employee on the furloughed rate you can continue to claim this under CJRS.
The guidance is non-statutory and is not binding on business. However, businesses should be aware that there might be reputational consequences if they do not follow the guidance; we have already seen in the context of taking advantage of furlough funding that not being in breach of the law is no protection against negative publicity. Further to the extent a contract expressly requires parties to act reasonably, it could be expected that this guidance is one of the factors a court would consider in determining what is reasonable.
Commercial partner Damien Charlton explains the basic principles of force majeure, and how they are relevant in the current extreme circumstances caused by the Covid-19 pandemic.
- Trusts should allow for telephone advice rather than face-to-face review from critical care when clinically appropriate.
- Hospitals should discuss the sharing of resources and the transfer of patients between units, including units in other hospitals, to ensure the best use of critical care within the NHS.
Please note, the above is intended to provide a summary of the key recommendations which emerge from this guidance. Access to the full guidance can be found here.