How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
If the duties are so fundamentally different from their contracted role, then yes. For example, if you are asking a frontline clinical member of staff to undertake administrative tasks in another area, then this will be a fundamental change to their terms and conditions for which you need their consent.
If there is a minor alteration to their duties, or the clause within their contract is wide enough to cover their amended duties, then arguably to do not need their consent but best practice would be to obtain their agreement.
The guidance has confirmed that all remaining employment rights and terms continue while an employee is furloughed. Holiday will continue to accrue during furlough however you may reach agreement with employees on reducing entitlement provided that it does not fall below the statutory minimum of 5.6 weeks per year.
The CMA sees only limited circumstances in which a full refund would not be given. The CMA accepts that where public health measures prevent a business from providing a service or the consumer from receiving it, the business may be able to deduct a contribution to the costs it has already incurred in relation to the specific contract in question.
This view reflects a relatively complex area of law under which parties are released from obligations under a contract if performance of that contract becomes impossible or illegal. This is called “frustration” of the contract. Under a law passed during World War II, a party to a contract that is frustrated who has incurred expenses is permitted, if the court thinks fit, to retain an amount up to the value of those expenses out of any money they have been paid by the other party.
The CMA’s view, however, is that this will not happen often, and that deductions from deposits will be limited.
The definition of a relevant establishment is a question of fact for an Employment Tribunal. Guidance from case law says that ‘establishment’ should be interpreted very broadly (so as to avoid employers escaping the need to collectively consult), and may consist of:
- A distinct entity
- With a certain degree of permanence and stability
- Which is assigned to perform one or more tasks
- Which has a workforce, technical means and a certain organisational structure to allow it to do so
However, there is no need for it to have the following:
- Legal, economic, financial, administrative or technological autonomy
- A management which can independently effect collective redundancies
- Geographical separation from the other units and facilities of the undertaking
We recommend that ongoing support is provided to all MHFA’s beyond completion of the MHFA training. It is necessary to do refresher training (approx. every 3 years) and ideally ongoing ‘continued professional development’ should be provided as well as regular opportunities for debriefing / seeking support. One way of supporting your MHFAs in the workplace is by creating a buddy system amongst the MHFAs. That way the individuals carrying out the role of MHFAs have a support structure in place amongst themselves. All trained MHFAs can also reach out to management to discuss any concerns they have or to seek any further support they need.