Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

Can employees who are self-isolating or on sick leave be placed on Flexible Furlough?

Employers had the ability to furlough extremely vulnerable employees who needed to shield.

If your employee is on sick leave or self-isolating as a result of Coronavirus, including as a result of track and trace, they’ll be able to get Statutory Sick Pay, subject to other eligibility conditions applying.

There is no special exemption for them, so they would need to meet the usual requirements to be placed on Flexible Furlough after 1 July 2020. i.e. They had to have been placed on furlough for at least 3 weeks before 1 July. Otherwise, they could not be furloughed.

Last updated on 16th June, 2020

What is IR35?

IR35 is an anti-tax avoidance regime which is intended to tackle (in HMRC’s view) the long standing issue of individual contractors providing their services or labour via an intermediary – which is usually a personal service company (referred to as a PSC). We’ll talk about PSCs here, but there are other types of intermediaries that are caught.

HMRC’s view is that this arrangement is often considered to be disguised employment and therefore a tax-avoidance arrangement.

So IR35 is essentially a test of employment status – and if, once you apply the test, the contractor should be an employee, they should then be taxed as an employee.

Last updated on 4th February, 2021

What are the key questions to ask ourselves as a business?

Some examples of the key questions to ask include:

  • Is there still a viable underlying business that is likely to continue beyond the current crisis?
  • What does the revised short to medium cash flow look like and will the company continue to be able to pay its liabilities?
  • Does the company have the support of all of its stakeholders – lenders, shareholders, customers, suppliers and banks – even though the business might be in breach of its own obligations?
  • What measures could (and should) the board put in place to protect creditors, including making sure that exposure to creditors (both collectively and individually) is not increased, assets are not sold at less than value and no creditor is treated more favourably than another?
  • Is there still a reasonable prospect of the business avoiding liquidation or administration?

The key question is always whether accepting the money is in the best interests of creditors as a whole bearing in mind that accepting Government support and continuing to trade might increase the company’s overall liabilities. Directors should be mindful that if the business fails, their decisions during this critical time may be scrutinised and it is therefore important that directors have up-to-date financial information and projections to form the basis of any decisions, take stock, get the right advice and document the decisions that are taken.

Last updated on 27th March, 2020

What guidance has the CMA issued about how it expects businesses to behave in response to the global pandemic?

On 30th April 2020, the CMA issued a guidance note setting out its views about how the law operates in relation to refunds.

Where a contract is not performed as agreed, the CMA considers that in most cases, consumer protection law will generally allow consumers to obtain a refund.

This includes the following situations:

  • Where a business has cancelled a contract without providing any of the promised goods or services
  • Where no service is provided by a business, for example because this is prevented by Government public health measures
  • A consumer cancels, or is prevented from receiving any services, because Government public health measures mean they are not allowed to use the services.

In the CMA’s view, this will usually apply even where the consumer has paid what the business says is a non-refundable deposit or advance payment.

This positon reflects the CMA’s previous guidance which they had issued in relation to the requirement of fairness in consumer contracts under the Consumer Rights Act 2015, which was that a clause in a contract that gives a blanket entitlement to a trader to cancel a contract and retain deposits paid is likely to be unfair, and therefore unenforceable – it would be unfair to a consumer to lose their deposit if the contract is terminated without any fault on their part, and if they had received no benefit for the payments made.

The CMA’s latest guidance therefore confirms their view that the Covid-19 outbreak does not change the basic rights of the consumer, and that they should not have to pay for goods or services that they do not receive.

Last updated on 7th May, 2020

What is the difference between individual and collective consultation?

Where it is envisaged that 20 or more employees will be dismissed at a relevant establishment within a 90 day period or less, then collective consultation is required (in addition to individual consultation) and the company must inform BEIS (using form HR1).

If there are less than 20 dismissals then you are only required to carry out individual consultation.

Last updated on 7th May, 2020