Skip to content

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

The National Lockdown Guidance states that anyone who is clinically extremely vulnerable should not attend work. What options do I have if an employee is in the clinical extremely vulnerable category but cannot do their job at home?

The now defunct Guidance for the Tier system suggested that the clinically extremely vulnerable would be treated in the same way as those who were shielding in Lockdown 1. This means that anyone who is clinically extremely vulnerable and cannot work remotely, will be entitled to SSP. These employees should receive a letter confirming that they are deemed to be clinically extremely vulnerable/shielding and you should ask for a copy of it as evidence to support a claim for SSP. It is likely that the Lockdown 3 Guidance will be the same.

You could also furlough an employee in the clinically extremely vulnerable category. Again we do not anticipate this changing.

Can I be investigated or prosecuted by HSE if one of my workers contracts Covid-19?

The reality of these unprecedented times is that enforcement of health and safety legislation by the HSE (particularly through the criminal courts) in relation to Covid-19 is an extremely unlikely outcome.

How do I avoid disputes and approach extensions of time and claims for additional payment with my Employer or Supplier?

The Construction Leadership Council (with backing from the Government) has issued practical guidance and draft pro-forma documents to enable all parties involved in the construction supply chain to enter into collaborative and open dialogue about applications for extensions of time and additional payment and to minimise potential disputes. The guidance can we downloaded here

The draft letters and notices included in the guidance have been prepared on the basis of the standard JCT Design and Build 2016 and NEC 3/4 Engineering and Construction Contract (Option A) and parties will need to make sure that they are completed/adjusted to comply with their own specific contracts.

The Cabinet Office has also issued a general statement calling on parties to contracts adversely affected by C-19 to act responsibly and fairly and to support national efforts to protect jobs and the economy.

How do I remain compliant and cover any risk?

Data on properties, and people, has never been more important.

Given that compliance is at risk here, such a decision must be made by the Board to ensure good governance. Board approval should be sought and recorded for the approach the organisation is taking.

It is essential that you continue to record your data on compliance and report to your board at all times, and that there is a clear audit trail for issues with access, and if appropriate to the Regulator. Access issues as a result of self-isolation should be readily identifiable.

Operatives need to be provided with the tools to operate in as safe a way as possible:

  • Checklist of questions to ascertain occupant’s current health
  • Protective equipment (masks, gloves, over clothing)

The Gas Safe website is a useful resource for updates: https://www.gassaferegister.co.uk/help-and-advice/covid-19-advice-and-guidance/

Can I ask my employees to stay away from home overnight during the national lockdown?

As above, employees must not leave their home unless they have a ‘reasonable excuse’.