What do we need to do?
Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.
Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.
Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.
Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.
Related FAQs
The guidance is non-statutory and is not binding on business. However, businesses should be aware that there might be reputational consequences if they do not follow the guidance; we have already seen in the context of taking advantage of furlough funding that not being in breach of the law is no protection against negative publicity. Further to the extent a contract expressly requires parties to act reasonably, it could be expected that this guidance is one of the factors a court would consider in determining what is reasonable.
Partner at Ward Hadaway Adrian Ballam catches up with corporate finance expert and CBILS specialist Chris Silverwood (CorpFin and cashflow.co.uk) a month after their initial conversation to talk about what the last couple of months have taught us about access to finance.
Sections of the video and their timings are as follows:
(01.06) – example of continuing appetite for certain businesses (e.g. tech sector)
(02.06) – conflict between incumbent bank and different CBILS lenders, plus brief discussion of CBILS II
(05.36) – bounce back loans have been a distraction
(06.27) – muted impact of fintech CBILS lenders
(07.52) – discussion about invoice discounting
(11.59) – looming insolvency environment
(12:52) – emerging themes
Despite remote hearings being the default position at present, formal permission will still be required by the court and a template order was circulated with the guidance. This template sets out the relevant directions and recitals to include in your order. An application to the COP for a remote hearing will not be required.
To respond to the crisis businesses might need to exchange information to a greater extent than they would usually. They might need to discuss capacity and to coordinate supply chains (both upstream and downstream). They might need to purchase or sell jointly to ensure vital supplies are maintained. In general agreements or collaboration which:
- Avoid a shortage, or ensure security, of supply
- Ensure a fair distribution of scarce products
- Continue essential services
- Provide new services such as food delivery to vulnerable consumers
In most circumstances the answer will be no. It would be an infringement of their human rights. It could also be a criminal assault.
However where there is a high risk to employees of exposure to COVID-19, such as care homes and healthcare environments, you might be able to make it a requirement of their role to have the vaccine.
First, consider whether you need to have a blanket requirement covering all employees or whether only certain groups who work in the most high risk areas require the vaccine.
You will need to do a thorough risk assessment balancing the amount that the risk of exposure would be reduced against the interference with the employee’s human rights. Consideration will need to be given as to whether insisting on the vaccine is proportionate to the risk and whether other less invasive steps could be taken instead, such as maintaining social distancing, wearing a mask, washing hands.
Any requirement for employees to be vaccinated should be communicated clearly to employees and trade unions together with a clear explanation for why it is necessary.