Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

Can employers reduce their pension contributions?
  • Yes, if contributions to a defined contribution (“DC”) scheme exceed statutory minimum for auto-enrolment purposes, it may be possible to reduce employer contributions to the statutory minimum, but not further.
  • However, the processes required for reduction of DC employer contributions will necessitate obtaining legal advice:
    • Reducing employer contributions may require changes to the employment contracts of affected staff (as does the furlough process).
    • Reducing employer contributions may also require negotiation with trade unions or other staff representative forums.
    • Where group personal pensions are used, the contractual format may not permit changes of employer contributions, and hence it may also be necessary to enter into a new contractual arrangement. Choosing a new group personal pension plan is a not insignificant task in itself.
    • Employers with at least 50 employees are required to conduct a 60-day consultation process with affected employees if they propose to reduce employer contributions (but please see below).
    • Finally, it may require a change to the scheme rules and engagement with the scheme trustees if the scheme is operated under trust.
  • For DB schemes, specific considerations apply (see the last section, below).

Last updated on 14th April, 2020

What options do I have if I have staff with childcare responsibilities but their job cannot be done at home?

If it is not possible to find work for the employee to do at home, you do have the option of putting the employee on furlough.

Last updated on 5th January, 2021

How can schools access training for MHFA?

Schools should be considering both Youth MHFA training and Adults MHFA training so that there are people within every school who have the skills and knowledge to support the mental health needs of students and teaching staff.

Last updated on 8th April, 2022

How do I determine contractor status?

You must exercise reasonable care in assessing status and making a status determination, considering what the position would be if the contractor was engaged directly by the end user client instead of via a PSC.

Status is usually determined by looking a number of factors and how they apply to the contractor’s working arrangements. This is a difficult exercise that is usually carried out by employment and tax lawyers and it is full of grey areas. We have a toolkit that can help you navigate this process which Paul will tell you more about at the end of the session.

The key factors used to determine status  are:

  • Control:
    • How much control does the end user client have over the contractor in terms of working arrangements (hours, place of work) and how the work is carried out? Or is the individual contractor able to determine how and when they work and without direct supervision of the end user client?
  • Personal service:
    • Is the contractor required to perform the services personally without the right to send a substitute? If there is a right to appoint a substitute is this subject to end user client approval?
  • Mutuality of obligation:
    • Is the end user client obliged to provide the contractor work with a mutual obligation on the contractor to accept that work?

Last updated on 4th February, 2021

Are permitted development rights now in existence for the creation of emergency medical facilities?

Yes. The Town and Country Planning (General Permitted Development) (Coronavirus) (England) (Amendment) Order 2020 came into force on 9 April 2020 giving permitted development rights for emergency development. The permitted development right is available to local authorities and health service bodies (as defined) on land owned, leased, occupied or maintained by it for the purposes of:

  • Preventing an emergency
  • Reducing, controlling or mitigating the effects of an emergency
  • Taking other action in connection with an emergency

It could cover, for example, the temporary change of use of buildings into a Nightingale Hospital or the establishment of a testing centre.

The permitted development right is not permitted in certain instances and is subject to a number of conditions including the notification of the local planning authority and the cessation of the use before 31 December 2020.

Further detail of the permitted development right is available at the link below.

http://www.legislation.gov.uk/uksi/2020/412/made

Last updated on 14th April, 2020