Cornwall Partners in Care LogoCornwall Partners in Care LogoCornwall Partners in Care LogoCornwall Partners in Care Logo
  • Home
  • About
  • Join us
  • Forums
  • Members
  • News
  • Contact

Cornwall Partners in Care News

Latest News

GDPR issues around processing data for C19 testing

Swift HR Logo

Natalie Swift   BSc (Hons)  MA (Cantab)  MCIPD  CMgr MCMI
HR Consultant | Swift HRTel:           07918 015846
Email:      natalie@swifthr.co.uk
LinkedIn: linkedin.com/in/natalie-swift-8711715a/
Website: https://www.swifthr.co.uk/

This guidance is for adult social care providers who arrange regular COVID-19 antigen tests for employees and/or agency workers based in residential care homes or domiciliary services, to identify asymptomatic COVID-19 cases. 

COVID-19 test results (positive/negative) convey medical information, categorised as ‘Special Category Data’ under GDPR and the Data Protection Act 2018.  Receiving COVID-19 test results and taking action to manage positive cases means that you are processing the test results data.  The Information Commissioner’s Office (ICO) guidance about testing and processing the results is here.  

You need to:

  1. Complete a Data Protection Impact Assessment (DPIA) before starting the testing – ICO template here.  Keep this on file and update it if your processes change.
  2. Make arrangements to keep test kits and test results confidential and secure. This includes how test kits and test results will be securely stored, who will be made aware of test results (a need-to-know basis only, for those managers/HR who will manage the response to a positive test result) and how and when test results will be disposed of.
  3. Identify the Article 9 condition for processing. The permitted ground for processing special category data in this situation is for health purposes, under Article 9(2)(b) of the GDPR (processing data where it is necessary to carry out obligations and exercise specific rights of the employer or employee in the field of employment, and part 1 of Schedule 1 to the DPA 2018).  You may also be able to use the ‘public health’ condition (because positive results will be passed to public health contact tracing teams).
  4. Identify a lawful basis for processing:

If regular COVID-19 testing will be mandatory for your staff, the lawful basis will be ‘legitimate interest’ (protecting your staff and service users from COVID-19 infection).   For this you need to:

  • Complete a Legitimate Interest Assessment (LIA) to show that the processing is necessary, and that you have balanced it against the individual’s interests, rights and freedoms. ICO guidance on doing this is here, or you could take specialist data protection advice.  Keep the LIA on file and update it if your processes change.         
  • Compile a form for the employee to complete, sign and return to you before testing:
  • confirming their understanding of how their data will be processed
  • confirming their willingness to participate in testing (e.g. for 6 months, to avoid having to do a new form for every test)
    • Keep the completed forms on file. Get new forms from your staff if you need to carry on testing after the e.g. 6 month scope of the form.

If participation in regular COVID-19 testing will be voluntary for your staff, the lawful basis for processing the data could be ‘legitimate interest’ or ‘consent’. 

  • If you use ‘legitimate interest’ – follow the steps in the point above.
  • If you use ‘consent’, you must provide staff with a consent form to complete and return to you before the testing. 
    • confirming their employee’s willingness to do the test
    • confirming their understanding of how their data will be processed
    • providing ‘consent’ under GDPR as the lawful basis for processing their data (e.g. for 6 months)

Employees must be given a free choice about whether to complete the form and do the test, and can withdraw their consent at any time.

Swift HR is based in Newquay and offers specialist HR advice and support for Adult Social Care Providers in Cornwall.  Registering your business with us is FREE, and once registered you can contact us for HR support whenever you need to.  Full details of our services are on our website.  We offer affordable pay-as-you-go rates for one off pieces of work, or if you need a few hours of support each month we can offer a retained HR service at a discounted rate.  There are no long contracts (you can end or change your level of support with a month’s notice), so that you only pay for the HR support you need, and within your budget.  For your FREE registration with Swift HR, call Natalie Swift on 07918 015846 or email natalie@swifthr.co.uk. 

Pulse Cyber are GDPR Compliance Specialists for Health & Social Care and may be able to offer more specialist guidance and advice for specific situations.

Other News

  • Capacity Tracker – Provider Training
    December 30, 2020
    Recording of training session for Providers on how to use the Capacity Tracker
  • Residential Forum video and info
    December 21, 2020
    Video and related information from the Joint Forum held 16th December 2020
  • COVID-19 vaccination programme for care and nursing home staff
    December 9, 2020
    Care Home and Nursing Homes can now book appointments
  • Capacity Tracker and daily CQC home care COVID-19 impact update – Upcoming changes
    December 4, 2020
    This message is being shared with you by CQC on behalf of the […]
  • CPIC/Council/CFT Meeting update – 02/12/2020
    December 2, 2020
    CPIC meet weekly with Cornwall Council and CFT on behalf of the sector. […]
Share
Cornwall Partners in Care | Units 1 & 2 Mount Hawke Business Park, Highfield Rd, Mount Hawke, Truro, Cornwall TR4 8DZ
Registered in England Company No. 07678220
All content © 2021 Cornwall Partners in Care
Website by Sweet Chilli Media
Articles of Association
Privacy Policy
Care Association Alliance Logo and link