Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

What rules has the European Commission introduced?

The Commission has provided guidance as to measures which Member States can introduce without notification. These include:

  • Measures which apply to all businesses within a Member State (for example the furloughing measures introduced by the UK Government)
  • Measures providing support direct to consumers
  • Measures which are already exempt from the notification requirement (discussed further below).

To respond to the crisis the European Commission has also issued a temporary framework to provide a basis for emergency aid to be notified for approval. The framework is initially in place until 31 December 2020. The Commission continues to keep this under review and has twice widened its scope to allow more types of aid to be notified. The type of measures covered include:

  • The provision of guarantees (including guarantees for 100% of loans)
  • The provision of loans at low interest rates, at zero interest rates or subordinated to senior debt
  • Measures to support liquidity needs or to alleviate difficulties caused by the current crisis
  • Measures to recapitalise businesses
  • Measures to assist sectors hit particularly hard by the current crisis (eg transport)
  • Measures targeted at COVID-19 such as research and development or production of products related to tackling the virus

The Commission has approved a UK Government “umbrella” notification to allow UK public authorities to adopt the measures permitted by the Commission framework. Therefore public authorities in the UK can use the Framework without notifying individual measures or schemes to the Commission.

Last updated on 31st March, 2020

How should contracting authorities work with PFI providers?
  • Working with PFI providers to get contingency plans up to date
  • If a PFI provider is struggling to achieve service delivery requirements due to Covid-19, then local arrangements should be put in place to:
    • maintain unitary charge payments
    • revise contract requirements/standards

moderating payment and performance regimes where appropriate.

  • In any event, you may wish to review and adjust your requirements to reflect the current situation. It is possible that some requirements can be relaxed, whereas others need to be tightened. For example, there may be an increased need for cleaning and maintenance in certain areas of your PFI premises or the layout of the premises and/or room uses may have temporarily changed. With staff illness and shortage likely to be an issue, you may also wish to consider if the resource can be moved from one area to another to help maintain essential services.
  • When putting local bespoke arrangements into place it is vital that:
    •  Contract requirements or performance standards are not relaxed to the point where health and safety are put at risk.
    • It is made clear that the arrangements are temporary and that matters will return to normal as soon as the Covid-19 emergency is over. Indeed the guidance note makes clear that if assets temporarily close they should be kept in such condition that they can be immediately up and running when this emergency is over. In such instances, likely a basic level of maintenance and security will therefore be required as a minimum.

Last updated on 6th April, 2020

My reserved matters application is due to be submitted, can I delay this?

The Business and Planning Act 2020 entered the statute books on 22 July 2020. Section 18 of the Act includes provisions for the extension of the date by which a reserved matters application must be submitted where the original date falls between 23 March 2020 and 31 December 2020. Where the original time limit for the submission of reserved matters is on or after 19 August 2020, the relevant conditions will be automatically read as requiring the reserved matters application to be submitted by 1 May 2021.

Where the original time limit for the submission of reserved matters is before 19 August 2020, an application will need to be made to the LPA for an Additional Environmental Approval (“AEA”), which the LPA must determine within 28 days otherwise the approval is deemed to be provided. The purpose of the AEA is to consider whether the environmental assessments carried out at the time of the original outline determination remain valid and up to date, and where that is not the case, the AEA will be refused. In such circumstances a new planning application will be required where an application is now out of time to comply with the original date for submission of reserved matters.

Last updated on 1st July, 2020

Which publicly funded organisations can consider furlough?

Some employers falling into the third group of organisations described above could understandably feel aggrieved that on the first reading of the guidance they are not able to furlough employees and rely on the Government scheme. Many publicly funded organisations that are not public sector employers, receive a package of public funding with little expectation on how that funding is used or applied, other than broadly for it to be used in providing the services it is contracted to deliver. Also, several publicly funded organisations have many different income streams and the element of funding that is received from the public purse can be only an element of their operating costs.

Unfortunately there is still no clear guidance on when employers falling into the third category identified above can use the scheme. The only reference in the guidance on this states that where organisations are not “primarily funded” from the public purse and whose staff cannot be redeployed to assist with the coronavirus response, the scheme might be appropriate to be used for some staff. This seems to suggest that where an employing organisation is not wholly or mainly funded by public funding and staff cannot be redeployed to work in areas in the effort to combat coronavirus, then it would be appropriate for the employer to access the scheme.

If considering applying for grants under the scheme a sensible approach would be to look at the combined total of your public funding and payments under the scheme and make sure it will not represent more than 100% of the level of total income you would have expected to receive during this period in a non-Covid scenario.

Local Authorities are expected to maintain support to suppliers and this should be considered:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/874178/PPN_02_20_Supplier_Relief_due_to_Covid19.pdf

Last updated on 9th April, 2020

What support did the Chancellor announce for employers to be attracted to take on apprentices?

The Chancellor announced that employers will be given £2,000 to employ apprentices and £1,500 for apprentices over the age of 25 for each apprentice they hire from 1 August 2020 to 31 January 2021. These payments will be in addition to the existing £1,000 payment the Government already provide for new 16-18 year old apprentices.

He also announced that employers would be given £1,000 for taking on trainees in response to the traineeship scheme being extended.

Last updated on 8th July, 2020