What are the data protection implications of holding Covid-19 health data?
The ICO is providing new guidance to organisations regarding data protection and coronavirus, which can be accessed here: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/
Information about the Covid-19 health status of individuals is special category data under the GDPR. This means it is high risk which has implications for how you use it, store it and keep it secure.
You will already hold health data about your employees as this is necessary to provide a safe, accessible place to work and to make reasonable adjustments to the workplace. You now need to make sure that the information you gather about your employees, visitors to your sites, customers and suppliers about Covid-19 is processed in accordance with data protection laws.
Related FAQs
The reaction from NCVO is that this is an important first step. However, it will not stop well run charities from closing and others will look very different in a few months’ time.
In the event that the contractor is displaying one or more of the above signs, then it is worth considering the following actions to protect the employer’s position as far as possible:
- Closely monitor the financial and on-site performance of the contractor in order to assess the likelihood and timing of potential insolvency
- Ensure all bonds, guarantees and collateral warranties have been obtained under the building contract, and if not take steps to obtain them immediately
- Consider the terms of any guarantees to ensure that the guarantor’s obligations are not inadvertently discharged
- Bonds may require adjudication to have been commenced (or even completed) prior to insolvency so as not to be stayed pursuant to insolvency laws
- Carry out an audit of the on-site plant, equipment and materials, and evidence this (for example with photographs and written records)
- Ensure that copies of all relevant documentation have been obtained, for example drawings, specifications and anything required to comply with CDM requirements. If not, take steps to obtain these
- Review the payment position under the building contract, including whether any over payments have been made to the contractor which should be reclaimed, what retention is held or has been released, whether any payment notices may be necessary, and whether there are rights of set-off which should be exercised
- Check whether the involvement of any third party is required, for example funders, landlords, tenants or purchasers who may have rights in relation to the building contract and how it is administered
- Review the terms of the building contract relating to contractor insolvency – hopefully the parties will be fully aware of the building contract terms and have been administering it correctly to date, but if it has been hiding in a draw then now would be a good time to dust it off and ensure familiarity with the relevant provisions!
In general. there is often a stick or twist decision. If the employer chooses to financially support the contractor (for example by agreeing different payment arrangements), this may help to keep the contractor solvent and more likely to complete the project, but it also exposes the employer to greater risk if the approach is not successful. Conversely, withholding payments from the contractor may make insolvency a self-fulfilling prophecy. The precise advantages and disadvantages of the approach will be dependent on the specific circumstances of each case.
The General Medical Council (GMC) have published guidance online for doctors during this time of uncertainty.
Alongside this, their website displays guidance for temporary registration to approximately 15,000 doctors, who left the register or gave up their licence to practise in the last three years.
These clinicians have been contacted to assist with the growing pandemic, outlining the process they would follow and informing them of their right to opt-out. The Secretary of State for Health can ask the GMC to grant such registration under Section 18a of the Medical Act 1983, in an emergency.
Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.
Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.
Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.
Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.
No, where employees cannot work from home, and it is safe for them to return to work, they should do so.