How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
Many charities have money that are considered restricted funds which are given to the charity or raised for a specific purpose. The Charity Commission gives guidance on this, please see the link below. Depending on the circumstances in which these monies have been given to a charity or raised you may or may not be able to use them.
Monies raised in an appeal or specific fund raising campaign are unlikely to be available as it is likely to be impossible to get the permission of the donor to change the use. If however you have had monies donated for a specific purpose and you can identify the donor you can use these funds for general overheads and to pay wages etc. if you receive the donor’s specific permission to do so.
Those individuals who are already exempt from the existing face covering obligations, will continue to be exempt from the new rules. These include:
- Those unable to put on or wear a face covering because of a physical or mental illness or disability
- People for whom wearing or removing a face covering will cause severe distress
- Anyone assisting someone who relies on lip reading to communicate
The Government assured parity for the self-employed but it has since accepted that this would be difficult to achieve. The Association of Independent Professionals and the Self-Employed (IPSE) has worked closely with the Government on implementing the current self-employment income support scheme. IPSE has confirmed that it will continue to work on helping to extend measures to all freelancers in need as a result of Covid-19.
The Government announced an extension to the Self-Employment Income Support Scheme from 1 November 2020.
The amount an insurer charges for providing cover is a critical aspect of the underwriting process. The premium must be sufficient to cover expected claims but must also take into account the possibility that the insurer will have to access its capital reserve –it is risk assessment based and the greater the risk, the higher the premium. Historically, insurers of high-rise buildings would have only had to prepare for a loss caused by damage to just a few flats within a building. That is because the design and construction of that building, with the right materials and fire safety provisions in place, should have limited the spread of fire and allowed the damage to be contained –or at least make this an extremely low risk. Now we know that many buildings have been designed, built and signed off in a regulatory system that an independent Government review has found was not fit for purpose. Premiums will reduce overtime but will be dependent upon the perceived level of risk reducing as the regulatory regime, BSA and BSR become more established.
As an occupier of premises, you owe a duty of care to your visitors to take reasonable care to see that the visitor will be reasonably safe in using your premises.
It is therefore essential that you are taking reasonable steps and strictly adhering to up-to-date Government advice in all aspects of your business to avoid any potential liability.
Failure to follow Government advice could leave you vulnerable to claims for compensation for pain and suffering should a visitor on your premises contract Covid-19.
However, each case will be fact-specific and it would be very difficult for a visitor to establish that they contracted Covid-19 specifically from those premises (as opposed to being exposed to the virus anywhere else).
If someone suggests that they are going to make a claim make sure that you report matters to your insurer or insurance broker immediately.