Preparing for April 2021 – what do you need to do?

Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.

Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.

Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.

Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.

We don’t recommend this. Status determination statements must be issued before 6 April 2021 for current engagements and the appropriate deductions are to be made on payments for services carried out on or after 6 April 2021.

Obtaining an employee’s Covid-19 test result will amount to processing personal data for the purposes of the General Data Protection Regulation 2016/679 (GDPR) and information about an employee’s health is a special category of data (sensitive personal data under the Data Processing Act 2018 (DPA)).

In accordance with the GDPR and DPA, there must be lawful grounds for processing such information. Most employers rely on employees’ consent to obtain medical information and process sensitive personal data and if the employee is unwilling to give consent, you will not normally be entitled to the information.

Special category data can be processed lawfully if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Employers may be able to require an employee to disclose their Covid-19 test if there is a substantial public interest, such as ensuring that the employee self-isolate if they have a positive test. However, there is a risk that this measure could be considered disproportionate particularly if it is enforced on all employees as a blanket measure.

At the discretion of the lender, the Scheme may be used for unsecured lending for facilities of £250,000 and under.

Lenders were required to demonstrate lending additionality (i.e. lending that without the Scheme, wouldn’t have otherwise taken place). The Scheme has been extended to those businesses who would have previously met requirements for a commercial facility and would not have been eligible for CBILS.  As a result  it is suggested that all viable small businesses affected by Covid-19, and not just those unable to secure regular commercial financing, will now be eligible should they need finance to keep operating.

Primary Residential Property cannot be taken as Security under the Scheme. If the lender can offer finance on normal commercial terms without the need to make use of the Scheme, they will do so.

This is likely to be a common situation and employers and employees are going to have to take a pragmatic approach. You could enter into a temporary flexible working arrangement perhaps agreeing to vary working hours/days or reducing targets or agree to use some annual leave.

Employees could ask to take a period of unpaid leave, asserting their right to time off to care for a dependant but the lack of pay is likely to be unappealing.

Alternatively employees who are unable to work because they have caring responsibilities as a result of COVID-19, which includes childcare responsibilities, can be furloughed.