Welcome to our third newsletter of 2021.
The common denominator in all things pandemic related has been the amount of information to absorb and then just when you think you’ve got to grips with it all, it’s changed again!
As promised, we plan to keep you updated on a weekly basis regarding significant changes to guidance and legislation, Q&As and best practice from a HR and H&S perspective.
This week we focus on data protection and share some FAQs.
Just a quick reminder that 2018 saw an update of the Data Protection Act and the introduction of the new, improved General Data Protection Regulation. The main reason for the overhaul of the previous legislation was to take into account the sheer volume of information that is currently held by organisations in the digital era and to update and improve our individual rights as data subjects.
The same main principles of data protection which still apply are:
1. Lawfulness, fairness and transparency.
2. Purpose limitation.
3. Data minimisation.
5. Storage limitation.
6. Integrity and confidentiality.
What kind of security measures should my Company have in place for homeworking?
With an increased number of us working from home, staff may use their own devices (laptops and phones etc.) Data protection law doesn’t prevent this, but you will need to consider what security measures you need to take to keep the data secure. Ensure that staff are reminded of your policies and procedures around GDPR and confidentiality, including accessing, handling and disposing of data and to use appropriate unique passwords. Consider using cloud storage that is only accessible with a unique username and password. Insist staff use company email addresses and do not rely on their own personal email address for work matters or sending out data.
As a Care Home Manager or Health Care Worker, can I tell a resident or their family if another resident or member of staff may have contracted the virus?
Yes, you are permitted to exercise your duty to ensure the H&S of your residents, but you should not disclose the identity of any individuals unless you have to.
As an employer can I tell my workforce that another member of staff may have contracted the virus?
Yes, but avoid disclosing the identify of the staff member. A simple notice that there is a virus case on the premises, with instructions of what isolation precautions should be followed would normally suffice.
If an employee shows symptoms or tests positive, should I report them to contract tracing?
No, contact tracing have the responsibility for following up a positive test result.
My business is legally required to collect customer, visitor and staff contact details for tracing purposes, do I need to collect consent for contact tracing?
No, you do not need to obtain consent as your lawful basis to share data, unless it is truly voluntary to provide personal data to your business. You will need to share this data with the contact tracing scheme if requested.
My business isn’t legally required to collect or disclose personal data to contact tracing, but can I collect data “just in case?”
If your organisation isn’t one of the sectors this applies to, you should not be collecting information ‘just in case’ there is a need to disclose information to a contact tracing scheme. Any information collected would need to be on a voluntary basis.
How long should we keep this data for?
Only for as long as it is needed, it is usually recommended that you keep this data for 21 days after which time it should be disposed of securely.
Can we make visitors or customers download a contact tracing app to check in our premises by scanning a QR Code?
No, the use of contact tracing apps is entirely voluntary.
Can we use the data collected for contact tracing for any other purpose, such as marketing?
No, this would be considered a misuse of the information as this is outside the original purpose the data was collected for.
What if I make a mistake whilst under pressure and share personal data, will the ICO take action against me or my organisation?
The ICO have stated that it would be very difficult to think of a scenario where they would take action, particularly against a Health Care Worker, during this public health emergency.