How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
From 8 June 2020, people entering the UK from overseas (excluding those entering from Ireland, the Channel Islands or the Isle of Man) must comply with a mandatory 14 day quarantine period. However, for those travelling to England, a number of country specific exemptions have been introduced.
A full list of the countries excluded from the quarantine provisions can be found on the gov.uk website which change on a regular basis, often on short notice.
Where a quarantine period does apply, a person will not be able to leave the place they are staying in for 14 days, except in some very limited circumstances.
These rules will apply to both British and foreign nationals, however there are some further exemptions to this rule where a person is coming to the UK to undertake a certain role (such as a healthcare professional coming to the UK to provide essential healthcare). A full list of the narrow exemptions can be found on the gov.uk website.
Before travelling, individuals will be asked to provide their contact details and information about their journey and the accommodation that they will be self-isolating in. To do this, individuals will need to fill in an online form on the gov.uk website. Individuals who refuse to fill in this form may be fined £100 and/or denied entry at the UK border should they not be a British citizen or UK resident.
The information provided in the form will ensure that the Government can check that an individual is self-isolating at the address given. Where an individual refuses to self-isolate they can be fined £1,000 if they are staying in England or Wales.
Once visa application centres re-open overseas and UK visa applications are processed, this 14 day period will need to be taken into consideration and may require employment start dates in the UK to be delayed.
The Flexible Furlough Scheme was introduced from 1 July 2020 and is due to come to an end on 30 September 2021.
The vast majority of disputes settle without ever reaching a final hearing with something in the region of 2-5% of all cases actually ending up in court at a final trial. So whilst it is very unlikely you would need to attend a court hearing, it is always a possibility.
There have always been ways for public bodies to assist without being required to notify these for approval. These continue to be available during the financial crisis, and are likely to be increasingly useful for measures which need to be introduced quickly. The measures include:
Those where it is possible to conclude that there is no effect on trade between Member States – for example, measures which are likely to have only a limited local effect. The European Commission has concluded, for example, that measures to assist locally-focused cultural activity can be assumed to have no effect on inter-State trade.
Those where it is possible to conclude that the State is acting in a way consistent with a commercial operator (the so-called Market Economy Operator Principle) – particular care will need to be taken in the context of current economic conditions to ensure that it can reasonably be asserted that a commercial operator would act in the same way as the public body.
Measures under the General Block Exemption Regulation – this legislation allows various types of aid, or aid schemes, to be employed.
Examples include aid for SMEs, aid for research and development, aid for local infrastructure and aid to ports and airports.
De Minimis Measures – Member States are permitted to grant small amounts of aid to undertakings over three fiscal years (the current year and the previous two years). This allows undertakings to receive up to €200,000 (or €500,000 where they are providing public services).
The CLC has also prepared a template letter that firms may adopt and issue to their workforce regarding travel to work. This can be accessed at download document.
The CLC’s current advice to those carrying out works on site is to carry out your own risk assessment on each site and determine whether or not it is safe to continue to work in accordance with the Public Health England instructions and the CLC Site Operating Procedures. If it is not possible to work in accordance with the above they should not work.