We have had a number of queries from schools with regards to the processing of health data for staff and pupils in light of the phased reopening of schools and the implementation of the NHS Test and Trace system. The ICO has now updated its own guidance for processing data during the “recovery” phase of the coronavirus pandemic. Below are the key points from their updated guidance as well as links to the full guidance. We have also created an addendum to your privacy notices with specific reference to the NHS Test and Trace system and a Data Protection Impact Assessment (DPIA) for health data which includes Covid-19 testing data.
Privacy Notice Update – NHS Test & Trace
We have provided an addendum to the privacy notices that covers sharing data with the NHS Test and Trace system. Whilst the information that has been released about the system doesn’t explicitly state how the system may contact employers and request information for contact tracing, our conclusion is that the most they may request is the name and contact information (phone number or email address) of anyone who has been “in contact” with one of your staff or pupils who has tested positive. The addendum reflects that and gives the legal bases for sharing that data.
You can find the addendum in Global Documents on the portal. Sign in here:
It is likely that you are also handling additional health data due to the coronavirus (including your own testing data), so you should also consider updating your existing pupil and workforce privacy notices to include this data. You should state why you are collecting it, the legal bases for that, who, if anyone, you are sharing it with, and how long you are retaining it. Let us know if you need help with this.
Health Data DPIA
As an organisation, you should have Data Protection Impact Assessments (DPIAs) in place for systems that conduct large-scale processing of data and/or process sensitive data. This includes systems that process health data. As you may now be handling additional health data due to the coronavirus (including your own testing data), it is a good time to review your DPIA or ensure that you have one in place!
We have created a DPIA template specifically for health data which includes coronavirus testing data. You can find this on the portal in Global Documents. You will need to ensure that the processes on the template match those of your school before it can be fully implemented. Equally, you may need to update your processes to ensure that they are appropriate considering the sensitivity of the data.
Use the link above to sign into the portal and download the template. Please contact us if you would like assistance in adapting this to your setting.
Updated ICO Advice
As lockdown continues to ease, the ICO has updated their Data Protection and Coronavirus Information Hub. This now includes their six data protection steps for organisations during coronavirus recovery which, in overview, are:
- Only collect and use what’s necessary
- Keep it to a minimum
- Be clear, open and honest with staff about their data
- Treat people fairly
- Keep people’s information secure
- Staff must be able to exercise their information rights
Questions Answered by the ICO:
- When they return to work, I want to carry out tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?
- How can I show that our approach to testing is compliant with data protection law?
- How do I decide if symptom checking, testing and the processing of health data of employees is necessary?
- How do I decide what type of tests are necessary?
- Which lawful basis can I use for testing employees?
- What do I need to tell my staff?
- Can I make it mandatory that my staff are checked for COVID-19 symptoms or tested?
- How often should I check for symptoms or test employees?
- Some staff already have the results of tests that they have arranged for themselves. If they disclose these results to me, what are the data protection considerations?
- Can I keep lists of employees who either have symptoms or have been tested as positive?
- How do I ensure I don’t collect too much data?
- Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?
- How do I ensure that staff are able to exercise their information rights as part of this process?
- Would it be appropriate to use temperature checks or thermal cameras on site, as part of testing or ongoing monitoring of staff?
- Can I use CCTV or other forms of surveillance to monitor whether my employees are observing health and safety measures to respond to the COVID-19 pandemic?
- Can I use recorded CCTV footage to monitor who an individual has been in contact with, if they are subsequently diagnosed with COVID-19 or suffer symptoms?
Please contact us if you do have further questions at GDPR@schoolpro.uk.
Please continue to ask if there is anything further that we can do to support you at this time.
Stay safe and healthy,
Ian, Rich and Ben
SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites.