My business involves providing services to consumers. What are my legal obligations in relation to deposits paid by consumers for services that I have been unable to perform due to government restrictions?

Although there is no formal selection process that must be followed in order to furlough staff, the basis for selecting who will be furloughed should be explained to all relevant staff. Basing this on work levels, required skills or whether work can in fact be carried out efficiently from home will help this process. Staff can be invited to volunteer to be furloughed or re-furloughed. Any requests can be considered on a case by case basis. It may be that a particular skill set is required which may result in an employee’s request being refused.

Employees are generally permitted to take holidays during furlough. However, Government guidance has been updated to state that “Employees should not be placed on furlough for a period simply because they are on holiday for that period.” If a period of furlough happens to coincide with an employee’s holiday then you should ensure that there are business grounds to support furlough being used in that instance so that it isn’t just being used as a means to fund holiday utilisation.

To respond to the crisis businesses might need to exchange information to a greater extent than they would usually. They might need to discuss capacity and to coordinate supply chains (both upstream and downstream). They might need to purchase or sell jointly to ensure vital supplies are maintained. In general agreements or collaboration which:

• Avoid a shortage, or ensure security, of supply
• Ensure a fair distribution of scarce products
• Continue essential services
• Provide new services such as food delivery to vulnerable consumers

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

• Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
• Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
• Only use the information for the purpose of managing the workforce during the pandemic.
• Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
• Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
• Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
• Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
• Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
• Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
• All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

Where an employer is proposing to dismiss:

• 100 or more employees at one establishment within a 90-day period, consultation must begin at least 45 days before the first dismissal takes effect
• Between 20 and 99 employees within a 90-day period, consultation must begin at least 30 days before the first dismissal takes effect
• If you are proposing to dismiss less than 20 employees then there are no minimum time limits but you must adhere to a fair process which will involve individual consultation and providing the employee with a right of an appeal