How do I remain compliant and cover any risk?
Data on properties, and people, has never been more important.
Given that compliance is at risk here, such a decision must be made by the Board to ensure good governance. Board approval should be sought and recorded for the approach the organisation is taking.
It is essential that you continue to record your data on compliance and report to your board at all times, and that there is a clear audit trail for issues with access, and if appropriate to the Regulator. Access issues as a result of self-isolation should be readily identifiable.
Operatives need to be provided with the tools to operate in as safe a way as possible:
- Checklist of questions to ascertain occupant’s current health
- Protective equipment (masks, gloves, over clothing)
The Gas Safe website is a useful resource for updates: https://www.gassaferegister.co.uk/help-and-advice/covid-19-advice-and-guidance/
Related FAQs
Statutory leave includes family related leave, sick leave or parental bereavement leave. Claims for furloughed individuals returning from statutory leave should be based on their salary, before tax, and not the pay they received while on statutory leave.
Similarly, claims for furloughed employees returning from a period of unpaid leave on sabbatical should be based on their pay they would have had on paid leave.
Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.
Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.
Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.
Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.
Court hearings have been conducted remotely, with the judgment in Kerry v SSCLG being given via telephone. The Senior President of Tribunals issued emergency Practice Directions which will apply to Property and Lands Chambers’ respectively. This has made provision for remote hearings. Inspections of properties have been suspended with immediate effect, with photographs, videos or external visits permitted where appropriate. Where inspections are essential, the case should be stayed.
Employers will be collecting and sharing health information. Health information is sensitive and higher data protection standards apply. Here are a few key pointers.
- Update privacy notices to cover the new collection and sharing of employees’ information and provide these to the workforce. Be transparent and fair.
- Identify the legal basis and condition for use of this information and put any required paperwork in place. The ICO guidance will help. For some conditions such as the employment condition, an Appropriate Policy Document (APD) will be required. The ICO has an APD template.
- Only use the information for the purpose of managing the workforce during the pandemic.
- Only collect or share information if it’s necessary – if it’s a targeted and proportionate way of achieving your purpose.
- Make sure any health information collected and shared is accurate – there may be serious consequences if it’s not.
- Work out how long the information must be kept for. Keep a record of that period and act on it at the appropriate time.
- Security is very important – there may be malicious actors trying to trick employers and employees. Make sure employees know how to identify a genuine NHS Test and Trace contact. Keep the information secure. Use the ICO’s data sharing checklists** and keep a record of the disclosures made and why. Control external disclosures – only certain authorised members of staff should make them.
- Make sure individuals can still exercise their data protection rights – that’s also very important. Keep data protection records up-to-date and ensure any exports of personal information outside the UK are compliant.
- Before introducing employer-led testing like taking temperatures, thermal imaging or other potentially intrusive tests, work out if a data protection impact assessment (DPIA) is required. It will be if the intended processing is ‘high risk’. If it is, then carry out a full DPIA. It will help address the issues systematically and mitigate risks.
- All this demonstrates ‘accountability’ – it shows affected individuals and the ICO that the employer is complying with data protection requirements.
If you need further help, please visit the ICO’s data protection and coronavirus information hub or ask our data protection team.
** Please note that this link is to the ICO’s existing checklists and data sharing code of practice. We will update the link to the ICO’s new checklists after they are published.
The Chancellor has announced that all retail and hospitality firms will be exempt from paying business rates for 12 months in a bid to combat the financial damage caused by the outbreak.
This covers pubs, restaurants and shops. After initially covering businesses with a rateable value of less than £51,000, this has now been extended to cover firms of any size, “irrespective of rateable value.”
Smaller businesses have also been offered the option of a £25,000 grant to cope with the impact of coronavirus.
Since the announcement, the Government has also introduced a wide-ranging package of targeted measures to provide financial support to businesses during the coronavirus crisis.