What are the data protection implications of holding Covid-19 health data?
The ICO is providing new guidance to organisations regarding data protection and coronavirus, which can be accessed here: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/
Information about the Covid-19 health status of individuals is special category data under the GDPR. This means it is high risk which has implications for how you use it, store it and keep it secure.
You will already hold health data about your employees as this is necessary to provide a safe, accessible place to work and to make reasonable adjustments to the workplace. You now need to make sure that the information you gather about your employees, visitors to your sites, customers and suppliers about Covid-19 is processed in accordance with data protection laws.
Related FAQs
Employees who are unable to work because they are shielding in line with public health guidance (or need to stay home with someone who is shielding) can be furloughed after 1 July 2020, as long as you have previously submitted a claim for them in relation to a furlough period of at least 3 consecutive weeks taking place any time between 1 March 2020 and 30 June.
State aid rules are contained in the Treaty on the Functioning of the European Union (previously referred to as the Treaty of Rome). The State aid rules prohibit the use of state resources, or any public support with an economic value, which given selectively has the capacity to distort trade by favouring certain undertakings, or the production of certain goods, and which has the potential to affect trade between Member States. Where aid is present it must not be granted unless it has been specifically approved in advance by the European Commission or benefits from a general exemption to the rules.
In general, the rules apply to all State actions which might assist businesses including:
- Grants
- “Soft” loans
- Selling to business at an undervalue
- Buying from business at an overvalue
It is unlikely that an employer can place such a requirement on staff without infringing the employee’s privacy. If the employee is acting in accordance with the rules, limiting their activity would likely be considered unreasonable.
The current position is that the PSC is responsible for assessing whether IR35 applies. This current regime has been difficult to police by HMRC and HMRC considers there is widespread flouting of the rules by contractors.
From April 2021 the responsibility for assessing whether IR35 applies will shift to the end user/client (with the exception of ‘small’ companies) which will require an assessment to be carried out on a contract by contract basis. HMRC anticipates that this will be easier to monitor and that end user businesses will be more compliant.
The reformed regime will apply to payments made on or after 6 April 2021 for services carried out on or after this date.
As their employer, you have an overriding duty to provide a safe system of work. The Trust would not be able to run a defence to say that an employee “waived their rights” and chose to continue to work. Provided the decision around restricting duties has been carefully thought out, a full risk assessment undertaken and the employee has been truly consulted about the impact on them, then the decision taken will be a reasonable management instruction. Failing to follow that reasonable management instruction could amount to a disciplinary offence.