What are the data protection implications of holding Covid-19 health data?

Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.

• Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
• Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
• Only use the information for the purpose of managing the workforce during the pandemic.
• Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
• Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
• Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
• Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
• Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
• Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
• All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.

If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.

** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.

The Coronavirus Business Interruption Loan Scheme (“CBILS“) is open for applications to provide small businesses with a loan of up to £5m to assist with the Covid-19 outbreak. The Scheme is aimed at businesses who are experiencing lost or deferred revenues, and who otherwise would be denied support from lenders, to be supported by a Government backed guarantee. The Scheme will initially run for six months with the possibility to be extended where required, so businesses should only approach a lender under the Scheme as and when they require assistance.

It is worth pointing out that, despite all the guidance, survey results and other advice about managing Covid-19 H&S risk in the workplace, the law has not been changed. None of the guidance is codified by regulation/legislation, which means that you are managing this risk in the context of existing H&S law.

In very simple terms, HASWA74 requires employers to take “all reasonably practicable steps” to ensure the health and safety of its employees (and anyone else affected by your business).

“Reasonably practicable” means to balance risk reduction against the time, money and effort required. If measures are grossly disproportionate, you wouldn’t be expected to take them, but there is a strong presumption in favour of taking any steps which will protect workers.

As part of managing the health and safety of your people, you must control the risks in your workplaces. To do this, look for what might cause harm to people while they work and decide whether you are taking reasonable steps to prevent that harm. This related duty under MHSWR is to ensure you undertake a “suitable and sufficient assessment of risks.”

All employers in the UK are eligible to participate in the scheme. The purpose of the scheme is to allow employers to claim back employment costs if they have furloughed employees arising from the coronavirus crisis. Importantly this means the scheme is not limited to cases where the employee would otherwise have been made redundant.

Key points:

• Between 1 November 2020 – 30 June 2021, the government will reimburse employers for 80% of wage costs, up to a cap of £2,500 per month, with employers expected to contribute 10% of that 80% in July 2021 and 20% of that 80% in August and September 2021. Employers will still need to pay employer NICs and employer pension contributions (these cannot be claimed for).
• The scheme now also allows employees to return to work part time being on furlough for the remainder. See flexible furlough above for more information.
• The employer can agree to pay the employee more than it will be reimbursed but it cannot reclaim the additional amount or any other costs associated with the additional amount.
• The workers covered by the scheme are those who have been “furloughed” which is a leave of absence.
• Workers must be told about and agree to this change of status (see below).
• Employers have to continue to pay the furloughed workers and the Government will reimburse the employer.
• HMRC is administering the scheme and it has been extended until the end of September 2021
• Those who left employment and are re-employed and subsequently furloughed by agreement are eligible (please see the FAQ regarding redundancy and furlough above).
• Payments may be withheld if claims are based on inaccurate or dishonest information, or are found to be fraudulent. HMRC has put in place an online hotline for employees and the general public to report suspected fraudulent claims.
• The Government has made alternative help available for employers to continue to pay employees while the scheme is set up.

Yes, but only for work purposes and where it is unreasonable to do so from home. Work colleagues cannot meet to socialise.