Can I collect health data in relation to Covid-19?
Yes. With respect to employees you have an obligation to protect their health so you can gather information to do that. You might gather information from your employees on who has the virus, who has had it and recovered and also who has tested negative. You might also want to know if individuals have been in contact with someone who has it or if they are in a vulnerable group. It is reasonable to want to know where individuals have travelled. In the future it may also be reasonable to know if they are planning to travel to a virus hot spot, as the impact of the virus around the world is likely to continue for some time even after the outbreak has been contained in the UK.
It is reasonable to gather some information about visitors to your site, be they customers or suppliers, as this information will also help protect your staff. However, you should keep what you gather to a minimum. For visitors, it’s unlikely that you need to know anything more than they have Covid-19, are displaying symptoms or have recently been in contact with someone who has the virus.
Related FAQs
The application has to be made before the date on which the accounts should have been filed, so this process can’t be used if you are already late. If you don’t make the application before your filing deadline, then a fine will automatically be generated if your accounts are filed late. Whilst you could appeal against such a fine on the grounds that the delay was caused by coronavirus issues, this is likely to be a much more time consuming and uncertain process that applying in advance.
It does not appear that the process applies to Confirmation Statements or other returns.
It is. If you assess a risk and identify a control measure then fail to deploy it, then you are breaching your legal duties under HASWA and potentially committing a criminal offence. So if you decide for example that N95 respirators have to be used by everyone, you have a duty to provide them.
So the short answer is yes.
It would be prudent to take legal advice early in relation to any issue you foresee in performing a contract. This will allow you to:
- Ensure that initial contact with your counterparty is framed in the correct way
- Ensure that any variations are fully documented so that both parties are fully protected
Ultimately closing a service will be a decision that is taken at the highest level and that decision will depend on risk appetite. Often these types of higher risk are mitigated by way of insurance but that still depends on an insurer being willing to accept that risk. This decision will depend on accepting a known risk and its consequences.
Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.
Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.
Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.
Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.