What are the data protection implications of holding Covid-19 health data?
The ICO is providing new guidance to organisations regarding data protection and coronavirus, which can be accessed here: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/
Information about the Covid-19 health status of individuals is special category data under the GDPR. This means it is high risk which has implications for how you use it, store it and keep it secure.
You will already hold health data about your employees as this is necessary to provide a safe, accessible place to work and to make reasonable adjustments to the workplace. You now need to make sure that the information you gather about your employees, visitors to your sites, customers and suppliers about Covid-19 is processed in accordance with data protection laws.
Related FAQs
- On admission to hospital, all adults should be assessed for frailty, irrespective of their age and Covid-19 status. Regard should be had to any comorbidities and underlying health conditions.
- If a patient is identified as potentially having Covid-19, the UK Government guidance on infection prevention and control measures should be followed.
- If Covid-19 is then diagnosed in someone who is not isolated from admission or presentation, the UK Government guidance on actions required when a case was not diagnosed on admission should be followed.
As the coronavirus outbreak continues to develop, we have seen many countries begin to implement emergency procedures and legislation in an attempt to control the spread of the disease.
These have included bans on gatherings and public events, closures of shops, bars, restaurants and public spaces, and full lockdowns which restrict all but key workers to their homes except in certain limited circumstances.
This has a direct impact on businesses and their ability to operate. So what happens if a contract becomes impossible to perform because of emergency legislation?
For example:
- If you are a hospitality business, you have agreed to host an event, and gatherings are prohibited
- If you are a manufacturer or service provider, and your staff are required to remain at home, making performance of the contract impossible
Yes, this is very likely to amount to a reasonable management instruction which is put in place for public health reasons. Employers should make it clear to their employees that this is something they are required to do and that if they fail to do so this may lead to disciplinary action.
Details of your MHFAs should be posted somewhere that everyone can access easily – a specific area on an intranet or whatever alternative exists. Regular comms involving the MHFAs, webinar sessions, Q&A sessions and mental wellbeing drop in sessions are all ideas that may work well.
MHFAs are not qualified mental health medical professionals and they should not be diagnosing or giving medical advice, however, their training will equip them to provide initial support to those experiencing symptoms of mental ill health, and to signpost to further professional help when needed. The MHFA training makes the boundaries of the MHFA role very clear and there should be clearly defined role specifications, procedures and support pathways in place to ensure that individuals are referred on appropriately. There should be peer support in place for MHFAs and a system in place to ensure no individual or individuals are overloaded.