What are the data protection implications of holding Covid-19 health data?
The ICO is providing new guidance to organisations regarding data protection and coronavirus, which can be accessed here: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/
Information about the Covid-19 health status of individuals is special category data under the GDPR. This means it is high risk which has implications for how you use it, store it and keep it secure.
You will already hold health data about your employees as this is necessary to provide a safe, accessible place to work and to make reasonable adjustments to the workplace. You now need to make sure that the information you gather about your employees, visitors to your sites, customers and suppliers about Covid-19 is processed in accordance with data protection laws.
Related FAQs
A new Permitted Development Right has been introduced by The Town and Country Planning (Permitted Development and Miscellaneous Amendments) (England) (Coronovirus) Regulations 2020 providing for the construction of new dwellinghouses on detached blocks of flats.
The new Right comes into force on 1 August 2020 and from this date development consisting of works for the construction of up to two additional storeys of new dwellinghouses immediately above the existing topmost residential storey which is a purpose-built, detached block of flats is permitted development. The Right additionally covers specified associated works, the construction of fire escapes and ancillary structures, bin stores for example.
The Right is subject to detailed criteria being met and to a prior approval process to the Local Planning Authority who can consider the acceptability of the proposed development in a range of respects. A link to the Regulations is here.
The Regulations additionally include a number of further amendments including additional rights for the holding of markets and for additional temporary uses of land for a time limited period. They additionally include amendments to existing permitted development rights for the change of use of buildings to dwellinghouses through a requirement that there be adequate natural light in all habitable rooms.
The CMA is the government body that is responsible for protecting consumers from unfair trading practices. It has announced programme of work to investigate reports of businesses failing to respect cancellation rights during the Coronavirus pandemic.
Based on the complaints received by them from consumers, the CMA has identified three sectors of particular concern:
- Weddings and private events
- Holiday accommodation
- Nurseries and childcare providers
The CMA has expressed concern about the number of complaints that it has received about businesses seeking to retain deposits for cancelled events, undue restrictions being placed on use of vouchers provided for cancelled bookings, and payments being demanded to hold open nursery places.
The CMA has said it will prioritise investigation of these sectors, and then move on to other sectors.
- Before any agreed reduction in wages, actual changes to earning patterns (loss of overtime, for example) may impact the pensionable salary as defined under the scheme rules, with knock-on effects to a number of benefit calculations, such as death in service benefits.
- Contractual changes to member salaries may adversely impact accrued benefits as the final salary figure may be reduced to a greater or lesser extent depending on the duration of furlough and the severity of any reductions in wage, and hence reductions may be difficult to agree with staff.
- Reducing employer contributions will be subject to a number of the same considerations applicable to a DC scheme listed above. There will also be a need to change the rules and interact with the trustees, although it may be possible to override the rules with a direct contractual agreement with members.
- Reducing employee contributions will also depend on the scheme rules, particularly as to whether there are any discretionary powers to suspend contributions, or pensionable service.
- The rules will need to be considered for any unexpected consequences of furlough: depending on the wording of the rules, furlough may or may not be considered a leave of absence and may or may not have the effect of terminating pensionable service. This could have far-reaching consequences.
- In particular, if the workforce’s pensionable service is inadvertently terminated as opposed to suspended in accordance with any relevant rule, this could trigger a statutory employer debt on an employer participating in a multi-employer scheme, if pensionable service continues for employees of other employers. This sort of issue is unlikely to be spotted until after the event, and therefore difficult to untangle. However, an employer should be able to take advantage of the “period of grace” provisions by notifying the trustees of its intention to re-admit employees to pensionable service within the next 12 months.
- Clearly the impact of the Coronavirus Job Retention Scheme on DB schemes is complex and legal advice should be sought before any changes are considered.
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
The Vice President of the COP, Mr Justice Hayden, has issued guidance to assist parties during this challenging time.
The latest guidance with all relevant updates on developments is available on the judiciary website here.