How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
Following our webinars on all aspects of furlough and alternatives to redundancy, it is an unfortunate fact that a number of organisations are likely, sooner or later, to be forced to make some employees redundant.
Our employment experts Jamie Gamble and Roisin Patton take you through the key aspects of conducting cost reduction redundancies, but with a focus on aspects that make this exercise different this time. For instance:
- How are you going to conduct sensitive meetings remotely?
- How are you going to ensure that dismissing any furloughed staff will be fair? You may have furloughed at speed, but redundancy selection criteria cannot be defined by such factors.
- Will you use this time to review your selection criteria if you already have some in place?
- How will you deal with individuals who are shielding, have child care issues or are pregnant?
- How do you ensure this is all done sensitively and fairly for those roles that are being made redundant, but also for those who continue to work for you but are still isolated on furlough or working from home?
- And what are the risks for making redundancies in this “new normal”?
Although you may be perfectly familiar with redundancy exercises these are far from normal times and it is therefore worth pausing to think about the impact that Covid-19 might have and what else you need to think about or plan for.
The webinar was recorded on Thursday 2nd July.
Office holders who provide services under an intermediary (such as a service company consultancy agreement) and whose services relate to the office held, would fall under the IR35 regime and must be assessed accordingly.
CBILS is made available through the British Business Bank’s 40+ accredited lenders and partners, which are listed on their website (https://www.british-business-bank.co.uk/ourpartners/coronavirus-business-interruption-loan-scheme-cbils/accredited-lenders/).
Businesses should initially approach their own lender and only consider other lenders if they are unable to access the finance they need. Note, not every accredited lender can provide every type of finance listed.
Some banks/lenders are not included in the list of accredited lenders which appears to mean that they cannot provide support through the Scheme. We understand from the British Business Bank that further lenders are applying to be accredited but that this may take a little time to process. If the provider of your senior debt is not on the accredited list you should consider approaching the bank which provides your day to day account banking services.
If you wish or need to access the Scheme via an alternative funder the process may take longer as usual on-boarding and KYC processes will need to be undertaken.
The reality of these unprecedented times is that enforcement of health and safety legislation by the HSE (particularly through the criminal courts) in relation to Covid-19 is an extremely unlikely outcome.
- Trusts should allow for telephone advice rather than face-to-face review from critical care when clinically appropriate.
- Hospitals should discuss the sharing of resources and the transfer of patients between units, including units in other hospitals, to ensure the best use of critical care within the NHS.
Please note, the above is intended to provide a summary of the key recommendations which emerge from this guidance. Access to the full guidance can be found here.