Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

I have essential workers who do home visits. How do I assess the risks?

The fundamentals of risk assessment remain the same as for any other foreseeable risk.

Focus on risk controls which reflect Government guidance; social distancing (2 metres) and avoiding contact with occupiers if possible, high-quality PPE – disposable overalls, gloves and fluid repellent surgical face masks, ready access to antibacterial wipes for surfaces, tools and equipment and plentiful hand sanitizer.

Last updated on 5th January, 2021

What is the guidance for doctors working during the pandemic?

The General Medical Council (GMC) have published guidance online for doctors during this time of uncertainty.

 

Alongside this, their website displays guidance for temporary registration to approximately 15,000 doctors, who left the register or gave up their licence to practise in the last three years.

 

These clinicians have been contacted to assist with the growing pandemic, outlining the process they would follow and informing them of their right to opt-out. The Secretary of State for Health can ask the GMC to grant such registration under Section 18a of the Medical Act 1983, in an emergency.

Last updated on 26th March, 2020

What was the eligibility criteria for the Government’s self-employment income support scheme?

You will be eligible if you are a self-employed individual or a member of a partnership and you:

  • have trading profits of up to £50,000
  • earn the majority of your income from self-employment
  • have submitted a Tax Return for 2019
  • have traded in the tax year 2019/20
  • are trading when you apply for a grant, or would be except for Covid-19
  • intend to continue to trade in the tax year 2020/2021
  • have lost trading/partnership profits due to Covid-19

 

Last updated on 31st March, 2020

Preparing for April 2021 – what do you need to do?
  • Audit
    • Identify your off-payroll contractors
    • Determine the status of off-payroll contractors
      • CEST – HMRC employment status checker for tax purposes
  • Communication – liaise with affected workforce
  • Contracts – get them compliant
  • Consider the Ward Hadaway toolkit

Last updated on 4th February, 2021

What is IR35?

IR35 is an anti-tax avoidance regime which is intended to tackle (in HMRC’s view) the long standing issue of individual contractors providing their services or labour via an intermediary – which is usually a personal service company (referred to as a PSC). We’ll talk about PSCs here, but there are other types of intermediaries that are caught.

HMRC’s view is that this arrangement is often considered to be disguised employment and therefore a tax-avoidance arrangement.

So IR35 is essentially a test of employment status – and if, once you apply the test, the contractor should be an employee, they should then be taxed as an employee.

Last updated on 4th February, 2021