How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
Civil Court listing priorities, last updated by HMCTS on 24 April 2020, categorise the Court’s work into the following:
Priority 1 – work that must be done: this includes any applications in cases listed for trial in the next 3 months, any applications where there is a substantial hearing listed in the next month, all multi-track hearings where parties agree that it is urgent (subject to triage).
Priority 2 – work that could be done: Infant and Protected Party approvals, Applications for interim payments in multi-track / personal injury / clinical negligence cases, Applications to set aside Judgment in default, Preliminary Assessment of costs.
The full guidance can be found at:
An employer has a duty of care to its workforce and must take reasonable precautions to protect the health and safety of employees. Employers also have a duty of care towards anyone entering or using their place of business, such as visiting clients or customers.
This means that if an employer reasonably believes that wearing face masks at work is appropriate and necessary, it can issue an instruction to employees to this effect and employees should abide by this as far as possible.
However employers should be cautious about introducing and enforcing a policy across its business which requires its staff to wear face masks as there is the risk of unlawfully discriminating against people who are exempt from wearing face coverings or have legitimate reasons for not doing so. An employer should also consider the duty to make reasonable adjustments for disabled employees and discuss any concerns raised by employees who do not want to or feel unable to wear a mask.
The immediate impact is accounting for payroll purposes for the additional cost of 13.8% employers NIC’s and 0.5% apprenticeship levy on top of the payment to the contactor’s PSC.
Secondary NIC’s cannot be recovered from payments due to employees and the same applies under the new IR35 regime. However, new terms can be agreed with reduced level of fees to reflect this additional cost.
Lenders implementing the Scheme can assist in a number of ways, including:
- Term loans
- Overdrafts
- Invoice finance
- Asset finance facilities
The maximum value available under the scheme is £5m, with repayment terms of up to six years for term loans and asset finance. Overdrafts and invoice finance facilities will be available for up to three years.
Employers who have apprentices on fixed-term contracts due to end during the pandemic should discuss arrangements with the apprentices including whether an extension to the contract can be offered to allow them to complete their apprenticeship.