What are the data protection implications of holding Covid-19 health data?
The ICO is providing new guidance to organisations regarding data protection and coronavirus, which can be accessed here: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/
Information about the Covid-19 health status of individuals is special category data under the GDPR. This means it is high risk which has implications for how you use it, store it and keep it secure.
You will already hold health data about your employees as this is necessary to provide a safe, accessible place to work and to make reasonable adjustments to the workplace. You now need to make sure that the information you gather about your employees, visitors to your sites, customers and suppliers about Covid-19 is processed in accordance with data protection laws.
Related FAQs
The duty is to inform and consult appropriate representatives of the “affected employees”.
Note that the term “affected employees” means those who may be “affected by the proposed dismissals or who may be affected by measures taken in connection with those dismissals”. The term extends beyond those immediately at risk of dismissal to include those affected by measures associated with the redundancies.
“Appropriate representatives” can be:
- The Trade Union (if recognised)
- (For any roles not covered by collective recognition) any existing standing body of elected or appointed employee representatives (if already in place)
- Employee representatives, who are elected specifically for redundancy consultation
As long as you can demonstrate that you have exercised reasonable care in determining status you have discharged your obligations in that respect. However, if you are unable to demonstrate this, you may as the end user client be responsible for the contractor’s tax and NIC’s.
It would be prudent to take legal advice early in relation to any issue you foresee in performing a contract. This will allow you to:
- Ensure that initial contact with your counterparty is framed in the correct way
- Ensure that any variations are fully documented so that both parties are fully protected
Details of your MHFAs should be posted somewhere that everyone can access easily – a specific area on an intranet or whatever alternative exists. Regular comms involving the MHFAs, webinar sessions, Q&A sessions and mental wellbeing drop in sessions are all ideas that may work well.
The guidance is helpful and is likely to be useful to businesses as they seek to respond to the crisis and to restart their business activities as lockdown is eased. However, there remain outstanding questions. For example, can collaboration to prevent widespread insolvencies be viewed as in the interest of consumers? Businesses need to remain aware of the extremely high stakes involved in relation to competition law. Businesses contemplating collaboration with competitors should take legal advice before doing so.