Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

If an employee works with vulnerable people who are at high risk of catching coronavirus, can the employer require them to limit their activities outside of work?

It is unlikely that an employer can place such a requirement on staff without infringing the employee’s privacy. If the employee is acting in accordance with the rules, limiting their activity would likely be considered unreasonable.

Last updated on 25th September, 2020

What was included in the Government’s self-employment income support scheme?
  • A taxable grant worth 80% of the average monthly profit over the last three years (one or two years will be reviewed for those who do not have three years of tax returns)
  • The grant will be capped at £2,500 per month
  • The scheme was initially available for three months and has been extended as necessary
  • Individuals claiming a grant can continue to do business (unlike employees who must not work when furloughed)

Last updated on 31st March, 2020

Are the Courts still open and operating?

Yes, but the Courts have been temporarily restructured into three categories:

  1. Open courts (open for business including vital in person hearings)
  2. Staffed courts (for video and telephone hearings)
  3. Suspended courts (no hearings of any kind)

These changes have been effective from Monday 30 March 2020.

Last updated on 15th May, 2020

Can I continue to operate from my commercial premises during the crisis?

The Government guidance does not require any business to close except some non-essential shops and public venues, so in theory, all businesses can continue to occupy and operate from their existing premises. However, government guidance strongly encourages businesses to arrange for everybody able to work from home to do so. The majority of office sector business will fall into this category.

In the industrial sector, the majority of businesses will not be able to operate via home working and will, therefore, need to retain employees on site though in some cases this may be able to be scaled back.

Any tenants continuing to operate from their premises should consider whether or not they need to make any alterations to the premises to facilitate social distancing of employees and whether or not such works would require a consent from the Landlord under the terms of the lease.

Last updated on 2nd April, 2020

If there is an outbreak of coronavirus in a workplace – will it be RIDDOR reportable?

The reporting requirements relating to cases of, or deaths from, COVID-19 under RIDDOR apply only to occupational exposure, that is, as a result of a person’s work.

You should only make a report under RIDDOR when one of the following circumstances applies:

  • an accident or incident at work has, or could have, led to the release or escape of coronavirus (SARS-CoV-2). This must be reported as a dangerous occurrence
  • a person at work (a worker) has been diagnosed as having COVID-19 attributed to an occupational exposure to coronavirus. This must be reported as a case of disease
  • a worker dies as a result of occupational exposure to coronavirus. This must be reported as a work-related death due to exposure to a biological agent

Last updated on 23rd June, 2020