Skip to content
Menu

Home FAQs How should an employer handle personal information in relation to NHS Test and Trace?

How should an employer handle personal information in relation to NHS Test and Trace?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

  • Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
  • Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
  • Only use the information for the purpose of managing the workforce during the pandemic.
  • Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
  • Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
  • Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
  • Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
  • Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
  • Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
  • All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Related FAQs

Will COP hearings still be open to the public?

Transparency is considered to be central to the philosophy of the COP. The guidance provides details on issues concerning transparency of proceedings and involvement/attendance of P. Whilst there will be some difficulties with ensuring that remote hearings are accessible to the public as an ‘open court’, provisions have been made for the continued presence of the press where the facilities can accommodate this.

Last updated on 29th May, 2020

Do I need to do anything extra to safeguard my employee’s mental health during the Covid-19 outbreak?

Homeworking can cause work-related stress and affect people’s mental health and being away from managers and colleagues could make it difficult to get proper supervision and support.

Encourage your employees to keep in touch. Put procedures in place so you can keep in direct contact with home workers and can recognise signs of stress as early as possible. Use group chat and video chat tools imaginatively.

Have an emergency point of contact and share this so people know how to get help if they need it.

People are much more anxious than usual and may be less productive as a result – recognise this and try to be patient.

Last updated on 5th January, 2021

Can I use my Contingent Business Interruption insurance to make a claim?

An extension to the traditional business interruption insurance, “contingent business interruption insurance” often covers areas such as business interruption due to damage to property of a customer or suppliers. Nonetheless, proving loss can be problematic.

Claims for loss of use of the property may be possible as a result of forced business closure due to lockdown.  Accordingly policies should be carefully reviewed to see if cover is available.

Last updated on 27th April, 2021

What are the alternatives to an injunction?

A quicker and more cost-effective option may be the involvement of the police given their recent allocation of emergency powers to disperse, fine or even arrest persons who flout these rules. Nevertheless, it appears that the Court is willing to support housing providers in their efforts to tackle anti-social behaviour during this time.

Last updated on 7th April, 2020

The proposed start date on the Certificate of Sponsorship is about to pass, what do I do?

Sponsors should update the proposed start date by adding a sponsor note to the CoS via the Sponsor Management System.
Does a sponsor need to report a change in workplace if a Tier 2 visa holder is working from home as a result of Covid-19?

Last updated on 15th May, 2020