How should an employer handle personal information in relation to NHS Test and Trace?
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
Related FAQs
The FCA’s test case in the Supreme Court ruled overwhelmingly in favour of policyholders. However, business interruption cover generally has the prerequisite of physical damage or loss to the property (or in some circumstances, the presence of a notifiable disease at the property or within a certain radius of it), to recover losses caused by the interruption to your business. The onus is on insurers to re-assess those claims which are impacted by the Supreme Court’s judgment and to make contact with the policyholders regarding next steps. If you have not already made a claim, in the first instance the terms of any policy should be checked carefully to see whether business interruption cover is provided.
Some commercial tenants have queried whether the current situation is a force majeure which may allow it to terminate the lease. Clauses which allow a party to terminate a lease for a force majeure event or, to put it another way, an “act of God”, are however extremely rare in modern commercial leases. Even if there is such a provision in your lease, it would need to be drafted to apply to an outbreak of disease.
There should be some data collected as to the type and number of interactions MHFA are having, to ensure no one individual or individuals are overloaded. MHFAs should be encouraged to maintain regular self-care practice, to lean in to all support provisions available in their organisation, to engage in peer support, and to take a break from their role as a MHFA to prioritise their own wellbeing as needed. It is also important that those who volunteer to be MHFAs have the support of their managers. So they have the time to do both their core role and their MHFA duties without feeling pressurised to cram work into spare time to make up for time spent on MHFA duties.
As we move to look at re-opening businesses and getting people back into the workplace there is work to be done by employers, firstly in planning how they are going to do this, and secondly, communicating those plans to staff. The only way in which businesses are going to be able to manage the transition back to some form of normality is by speaking to their staff and re-assuring them about the measures that will be put in place to safeguard their health and safety in order to enable them to return. Any successful return to work will need to based on carefully thought out plans and providing re-assurances to employees that necessary action is being taken.
Employers will be focusing on:
- How do I get my workforce back safely, and
- How do I give my workforce the confidence to return.
As the pandemic progresses, more and more people will be forced to self-isolate and, inevitably, both tenants and staff will be affected. Put plans in place to mitigate the impact that this may have, particularly regarding staff shortages. The most important focus here should be communication.
The Covid-19 outbreak will affect the pace of everyday life and delays will be expected. Rather than allowing the pandemic to take over completely, it is important to maintain open communication with tenants as much as possible and inform them of any front-facing challenges that you may face.
The Protocol does envisage that delays may occur and allows for some degree of flexibility. Whilst all efforts should be made to conduct inspections where practical and possible, it should be expected by all parties that timescales will be extended during this crisis. It is fundamental, however, that all changes made to standard practice are communicated and explained to tenants to manage expectations.
Similar flexibility should be afforded to tenants. As households are required to isolate it will not always be possible to gain access to properties as would usually be expected and required. Likewise, vulnerable people will wish to protect themselves and their families and may refuse access on this basis. During this period, a degree of understanding must be exercised and concessions made.
Inspections may be delayed if anyone in the household has symptoms. A questionnaire should be prepared for those visiting properties to assess so far as possible the risk; Personal Protective Equipment should be issued to those visiting, and government guidelines followed.