What are the data protection implications of holding Covid-19 health data?
The ICO is providing new guidance to organisations regarding data protection and coronavirus, which can be accessed here: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/
Information about the Covid-19 health status of individuals is special category data under the GDPR. This means it is high risk which has implications for how you use it, store it and keep it secure.
You will already hold health data about your employees as this is necessary to provide a safe, accessible place to work and to make reasonable adjustments to the workplace. You now need to make sure that the information you gather about your employees, visitors to your sites, customers and suppliers about Covid-19 is processed in accordance with data protection laws.
Related FAQs
The basics of health and safety law requires that employers take “all reasonably practicable steps” to ensure workers’ safety and that a suitable and sufficient assessment of risk is undertaken. It is the individual assessment of Covid-19 risk in each workplace that will be central. Employers will be required to conduct a robust risk assessment and then, following the hierarchy of controls, put robust processes and safeguards in place to address those risks.
UK government guidance and HSE advice is continually evolving, which in practice means that any risk assessment will need to be reviewed very regularly as that guidance develops. There is flexibility for individual businesses within the overall government framework and there will need to be a process of evaluation to ensure that the measures in place continue to meet the requirements.
The starting point of avoid, eliminate and control means looking at individuals continuing to work from home where possible (the fewer the number of people back in the workplace the lower the risk), and if not look at risk management, which leads to administrative controls – i.e. changing work practices before ending up at PPE. PPE is generally seen as control of last resort but in practice – facemasks, disposable gloves and constant prompts to wash hands for example.
In terms of changing working practices, employers should be thinking about:
- the workspace and how this is laid layout
- how do we make sure it is kept clean and hygienic
- how do we keep people apart
- how can we use toilets, canteens or other shared spaces/facilities safely
- how do we promote and enable higher levels of workplace hygiene
- if we are going to rely on PPE – can we get it, and is it suitable
- what about limiting customer interactions
- will there be enough first aiders on site
- can we manage fire safety, deliveries etc
- what about higher risk workers
- should work tools and equipment be allocated on an individual basis to employees.
These decisions need to be recorded and clearly communicated to staff members.
£370 million will be available to support small and medium-sized charities who are at the heart of local communities and which are making a big difference during the outbreak, including those delivering food, essential medicines and providing financial advice. These monies will be distributed by organisations including the National Lottery Community Fund for those in England. It is understood these monies will need to be applied for. The application system for the National Lottery Community Fund grant pot is expected to be operational within a period of weeks.
To be eligible for CBILS, the British Business Bank has confirmed that businesses should be able to answer YES to the following points:
- Your application must be for business purposes
- You must be a UK-based SME with an annual turnover of up to £45m. This includes sole traders, freelances, body corporates, limited partnerships and limited liability partnerships. For sole traders to be eligible it is expected that sole traders will need to have a business account with its funders and not be operating via a personal account
- Your business must generate more than 50% of its turnover from trading activity
- Your CBILS-backed facility will be used to support primarily trading in the UK
- You wish to borrow up to a maximum of £5m.
Businesses meeting these criteria from all sectors can apply save for Banks, Building Societies, Insurers and Reinsurers (but not insurance brokers), the public sector including state-funded primary and secondary schools, employer, professional, religious or political membership organisation or trade unions which are not eligible.
Your borrowing proposals must be considered viable by the relevant lender under normal circumstances aside from the Covid-19 outbreak, and the lender believes the provision of finance will enable the business to trade out of any short-to-medium term difficulty. Lending decisions are delegated to the accredited lenders and lenders will need further information to confirm eligibility.
The eligibility criteria for CBILS does not require lenders to take into account other forms of Government support that SME’s may already be benefiting from, most notably business rate relief.
We understand that ownership structure is not taken into account when confirming eligibility and that businesses back by a PE funder or a subsidiary of an overseas entity can be eligible if it meets the other criteria.
An update on eligibility – 3 April 2020
Previously, for facilities above £250,000, the lender must establish a lack or absence of security prior to businesses using the Scheme. The requirement for insufficient collateral has been removed allowing those SMEs who are considered to have sufficient collateral to access the Scheme. We would expect that where security is available, a lender will seek to take security over the relevant assets.
There have always been ways for public bodies to assist without being required to notify these for approval. These continue to be available during the financial crisis, and are likely to be increasingly useful for measures which need to be introduced quickly. The measures include:
Those where it is possible to conclude that there is no effect on trade between Member States – for example, measures which are likely to have only a limited local effect. The European Commission has concluded, for example, that measures to assist locally-focused cultural activity can be assumed to have no effect on inter-State trade.
Those where it is possible to conclude that the State is acting in a way consistent with a commercial operator (the so-called Market Economy Operator Principle) – particular care will need to be taken in the context of current economic conditions to ensure that it can reasonably be asserted that a commercial operator would act in the same way as the public body.
Measures under the General Block Exemption Regulation – this legislation allows various types of aid, or aid schemes, to be employed.
Examples include aid for SMEs, aid for research and development, aid for local infrastructure and aid to ports and airports.
De Minimis Measures – Member States are permitted to grant small amounts of aid to undertakings over three fiscal years (the current year and the previous two years). This allows undertakings to receive up to €200,000 (or €500,000 where they are providing public services).
The General Medical Council (GMC) have published guidance online for doctors during this time of uncertainty.
Alongside this, their website displays guidance for temporary registration to approximately 15,000 doctors, who left the register or gave up their licence to practise in the last three years.
These clinicians have been contacted to assist with the growing pandemic, outlining the process they would follow and informing them of their right to opt-out. The Secretary of State for Health can ask the GMC to grant such registration under Section 18a of the Medical Act 1983, in an emergency.