What do we need to do?
Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.
Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.
Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.
Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.
Related FAQs
- Employee pensions contributions are often paid by way of salary sacrifice arrangements.
- Use of such arrangements may reduce the amount of wage an employer can claim under the Coronavirus Job Retention Scheme, as the reimbursement is calculated by reference to an employee’s actual pay as at 28 February 2020, hence post sacrifice pay.
- Using the Coronavirus Job Retention Scheme does not in itself bring a salary sacrifice arrangement to an end, but where an employer wishes to maximise the amount of an employee’s pay that will be covered by the CJRS, the employer and employee(s) concerned may agree to terminate the salary sacrifice arrangement as part of furlough. HMRC has recently announced that the Covid-19 pandemic will be considered a “life event” (i.e. one of the permitted reasons to break a salary sacrifice arrangement mid-term), if the employment contract is updated accordingly.
Obtaining an employee’s Covid-19 test result will amount to processing personal data for the purposes of the General Data Protection Regulation 2016/679 (GDPR) and information about an employee’s health is a special category of data (sensitive personal data under the Data Processing Act 2018 (DPA)).
In accordance with the GDPR and DPA, there must be lawful grounds for processing such information. Most employers rely on employees’ consent to obtain medical information and process sensitive personal data and if the employee is unwilling to give consent, you will not normally be entitled to the information.
Special category data can be processed lawfully if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Employers may be able to require an employee to disclose their Covid-19 test if there is a substantial public interest, such as ensuring that the employee self-isolate if they have a positive test. However, there is a risk that this measure could be considered disproportionate particularly if it is enforced on all employees as a blanket measure.
We hope that all organisations will come out of lockdown successfully. However, the current economic crisis means that many organisations will face very difficult trading conditions.
Employment costs are one of, if not the, largest cost to your organisation. These costs will have an effect on your financial well-being – and many organisations are now considering how to reduce employment costs. That said, your workforce is also your most important asset and as we get back to business, you will need your workforce to run the organisation, produce your goods, deliver your services and deal with your customers.
As a result, many organisations are facing a very difficult situation – how to reduce or flex the cost of the workforce whilst also maintaining an ability to service customers. This difficulty is enhanced by the uncertainty of when the pandemic will be controlled and the threat of lockdowns end.
As above, people must not leave their home unless they have a ‘reasonable excuse’ and travelling should be limited to their local area. Employees may leave their home and local area to travel for work if they cannot reasonably work from home. You should attempt to reduce the number of journeys they make.
You must exercise reasonable care in assessing status and making a status determination, considering what the position would be if the contractor was engaged directly by the end user client instead of via a PSC.
Status is usually determined by looking a number of factors and how they apply to the contractor’s working arrangements. This is a difficult exercise that is usually carried out by employment and tax lawyers and it is full of grey areas. We have a toolkit that can help you navigate this process which Paul will tell you more about at the end of the session.
The key factors used to determine status are:
- Control:
- How much control does the end user client have over the contractor in terms of working arrangements (hours, place of work) and how the work is carried out? Or is the individual contractor able to determine how and when they work and without direct supervision of the end user client?
- Personal service:
- Is the contractor required to perform the services personally without the right to send a substitute? If there is a right to appoint a substitute is this subject to end user client approval?
- Mutuality of obligation:
- Is the end user client obliged to provide the contractor work with a mutual obligation on the contractor to accept that work?