How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
It is a theoretical possibility that “anti-vax” beliefs could be a philosophical belief under the Equality Act 2010 and therefore anti-vaxers have the right not to be discriminated against for their beliefs. Much will depend on why the individual is against the vaccine. Conspiracy theorists (the vaccine is being used as an opportunity to monitor you or it’s all because of 5G) are highly unlikely to be treated as having a philosophical belief!
In making a Traffic Regulation Order (“TRO”) local authorities must follow the regulations, which include provisions relating to publicity requiring publishing the notice in a local newspaper, making the orders available for public inspection at a Council’s offices (which are likely to be closed to the public during this time) and where considered appropriate, posting the notices on the streets.
In recognition of the potential difficulties with complying with the publicity requirements, the Department for Transport has issued guidance as to how a Council may still publicise a TRO. The guidance recognises that not everyone may be able to access local newspapers online and suggests that people and organisations could be adequately informed by means of letter, leaflet drops, or local radio. In respect of making the relevant document available at the Council’s offices, the guidance suggests that notices could be placed online or outside offices with brief details and including a telephone number or email to use to request a hard copy of the documents.
While the guidance is helpful, it is important to note that it is guidance only and that the regulations have not been relaxed. Authorities will still need to demonstrate that they have satisfied all of the publicity arrangements in respect of the TRO.
If a business has been provided with a loan from 23 March on commercial terms, providing the borrower meets the CBILS eligibility criteria, lenders have been asked to bring these facilities onto CBILS wherever possible (e.g. where the lender is accredited to offer the same facility through CBILS) and changes retrospectively applied as necessary. Please contact us if this applies to you and we can review facilities and advise upon the potential changes that may be made retrospectively to the benefit of the business.
State aid rules are contained in the Treaty on the Functioning of the European Union (previously referred to as the Treaty of Rome). The State aid rules prohibit the use of state resources, or any public support with an economic value, which given selectively has the capacity to distort trade by favouring certain undertakings, or the production of certain goods, and which has the potential to affect trade between Member States. Where aid is present it must not be granted unless it has been specifically approved in advance by the European Commission or benefits from a general exemption to the rules.
In general, the rules apply to all State actions which might assist businesses including:
- Grants
- “Soft” loans
- Selling to business at an undervalue
- Buying from business at an overvalue
Again, the primary point must be that an open dialogue is held with that individual to understand their concerns and to properly consider the impact that not wearing PPE will have on their abilities to undertake their duties. Consideration must be given as to whether there are any parts of their duties that they can undertake and whether they can remain in their role. Engage with the individual to ensure that you understand their point of view. What other duties can they do if they cannot do fulfil all the duties of their role?