COVID status data and GDPR (England)

The European REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) known as the GDPR – applies in the UK (UK GDPR).

UK GDPR applies to certain ‘processing’ of personal data. The ICO (the Information Commissioner’s Office) says –

If you are only conducting a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’. The activity would therefore fall outside of the UK GDPR’s scope.

However, if you are conducting checks digitally (for example, by scanning the QR code displayed on the pass), this would constitute processing of personal data – even if you do not keep a record of it. The UK GDPR would therefore apply.

If you make a record of any personal data, whether you conduct visual or digital checks, then you would be processing personal data and the UK GDPR would apply.

Article 9(1) of GDPR does not permit an employer to be in possession of employees’ personal and medical data. Article 9(2) sets out situations where the employer might have Covid status data.

The ICO says –

A person’s COVID status is health data, which has the protected status of ‘special category data’ under data protection law. This means it requires extra protection. You must also identify an Article 9 condition for processing. The two you could consider are:

• the employment condition; or

• the public health condition.

If you intend to rely on the public health condition, you must ensure that either a health professional carries out the processing, or that you tell people you are treating their COVID status as confidential and would only disclose it in clearly defined circumstances.

Consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee. Similarly, consent is unlikely to be appropriate where checking a COVID pass is a condition of entry to your premises. This is because you cannot consider consent to be ‘freely given’ in these circumstances.

This generally means that COVID status data cannot be held.

The ICO provides detailed information on the steps to be gone through if COVID status information is to be asked for, and held – here.

Covid-19 Vaccine Passport (EU)

UPDATE : this was (and is still technically) known as the EU COVID digital certificate – healthcareIT information is here.

From 1 July, the European Union will make available its COVID-19 vaccine passport for all EU citizens and residents, as well as for specific categories of travellers from third countries. All member states are expected to start issuing vaccine passports, at least partially, Switzerland and Iceland included.

The EU COVID-19 Vaccine Passport/Certificate is a one-piece document that can be issued to a traveller in both a paper and digital format.

Depending on the traveller’s status, there are three types of EU’s COVID-19 passport launched.

• Vaccination passport

• Test certificate

• Recovery certificate

Those holding such a document will be able to travel throughout Europe without the need to quarantine or test for COVID-19 (though the Member States may impose such restrictions on particular countries with a higher COVID-19 rate).

EU COVID Vaccination Passport

The EU COVID Vaccination Passport will be issued to all those who have been fully vaccinated against the Coronavirus, with one of the four vaccines approved by the European Medicine Agency (EMA), which are:

• Comirnaty (BioNTech, Pfizer)

• Moderna

• Vaxzevria (previously COVID-19 Vaccine AstraZeneca, Oxford)

• Janssen (Johnson & Johnson)

The certificate will prove that its holder has been vaccinated while also containing additional information on the vaccine, as when the doses were administered, who is the manufacturer, etc.

The Commission has also permitted the Member States to issue certificates for travellers vaccinated with vaccines other than those approved by the EMA. However, the decision is up to each individual Member State if they want to permit entry for those vaccinated with such vaccines or not.

EU COVID Recovery Certificate

Travellers who have recently been infected with COVID-19, and recovered from it, should also be permitted to travel with an EU COVID travel certificate.

“The EU Digital Covid Certificate of recovery confirms that the holder has recovered from a SARS-CoV-2 infection following a positive test. It should be issued no earlier than 11 days after the first positive test,” the European Commission explains.

However, the Commission also points out that tests that detect if a person developed antibodies against SARS-CoV-2 – also known as antibodies tests – cannot be used to obtain a recovery certificate.

EU COVID test certificate

All travellers who test for COVID-19 with PCR or Rapid Antigen test, and result negative, can obtain an EU COVID certificate.

“A separate certificate will be issued for each test and will not contain any data from previous certificates,” the Commission notes.

The EU has not yet come with a common timeframe within which these tests must be taken, therefore, it is up to the Member States to decide.

More information is here.

COVID-19 Workplace Testing Programme (UK)

The Government has announced it will make rapid home testing available for all businesses with over 10 employees who cannot offer on-site testing.

Businesses must register interest by 12 April to access free tests.

Details

From 6 April, the workplace testing programme will supply home test kits to companies with over 10 workers where it is not possible to set up testing on-site, due to a lack of space or because companies operate across multiple sites.

Businesses are encouraged to register before 12 April in order to access free tests until the end of June, even if they’re not yet open or are not able to start using the tests straight away.

As well as reporting their result directly to the NHS, employees should advise their employer of a positive result and take a confirmatory PCR test. Employers will retain an important role in encouraging their employees to take and report the results of their test.

Employers with fewer than 10 people can alternatively access regular testing through the community testing programme, which is now offered by all local authorities in England. Work is also underway to allow staff of small businesses to order tests online to be sent to their home.

Further details are here.

COVID-19 Employer Testing Duty (UK)

Employers employing more than 50 employees (including agency workers), are required to take reasonable steps to facilitate employees to take COVID-19 tests when they travel across international borders.

DHSC guidance stipulates ‘reasonable steps’ to facilitate the taking of tests might be:

• establishing workplace coronavirus (COVID-19) testing or providing employees with home testing

• supporting access and signposting employees to testing outside of the workplace.

Further (extensive) details are here.

Workplace testing (UK-Covid)

Some employers and third-party healthcare providers may want to introduce their own internal testing programmes outside of NHS Test and Trace.

NHS Test and Trace is for those who display symptoms of COVID-19 or who have been advised to take a test by a medical practitioner or public service. Employer and third-party healthcare providers wishing to provide a test to staff must not advise individuals without symptoms to get a test from the limited supply offered by the NHS Test and Trace service, but may offer alternative private provision.

The government first published guidance on 10 Sept 2020.

The guidance was updated several times since, and on 26 Feb 2021 was updated –

Updated to reflect the ongoing evolution of private-sector testing. In particular, updated advice in relation to lateral flow device (LFD) testing, routes to access testing, and a more comprehensive supplementary annex for employers and third-party providers wishing to offer workplace testing for asymptomatic employees.

The guidance is here.

Note CE marking is replaced by UKCA marking. Information on UKCA marking is here.

Existing CE marked goods may continue to circulate on the GB market in 2021 under transitional arrangements.

CE marked goods may circulate in Northern Ireland under the Protocol, UKCA goods must be marked UKNI in the Northern Ireland market (see the UKCA marking link).

Self-Isolation Guidance for COVID-19 Contacts (England)

I posted earlier this morning about the new legal duty to self-isolate that applies in England.

In addition to updated Guidance for households, linked to that post, Public Health England has also issued Guidance for COVID-19 Contacts (who are not Household Members) – here.

Note the new law sets out legal duties for notified persons – these are the person who tested positive (and that person must supply the names of their household) and their contacts meeting the definition of having been in close contact. The law does not set out legal duties for household members. In practice, household members and close contacts might be difficult to distinguish.

Guidance now exists for

– Households – here.

– Contacts – here.

Public Health England definition of ‘contact’ is not the same as ‘close contact’ set out in the England self-isolation law.

If you are a contact of someone who has tested positive for COVID-19, then you will be notified by the NHS Test and Trace service via text message, email or phone. If you are notified, please follow the guidance in this document closely.

If you have not been notified that you are a contact, this means you do not need to self-isolate and should follow the general guidance, for example, social distancing, hand-washing, and covering coughs and sneezes.

New Legal Duty to Self-Isolate (England)

From 12am this morning, 28 September 2020, a new legal duty exists to self-isolate if notified (by persons identified in the legislation) as being a person who has (a) tested positive for COVID-19 after 28 September 2020 or (b) had a close contact after 28 September 2020 with a person who has tested positive for COVID-19.

The notified person must self-isolate (for the period and as stipulated in the Legislation), and must also notify each person living in his/her household. The Legislation does not set out legal duties for household members.

The Legislation – The Health Protection (Coronavirus, Restrictions) (Self- Isolation) (England) Regulations 2020 (SI 1045) – is here.

Close contact means –

(1) having face-to-face contact with someone at a distance of less than 1 metre,

(2) spending more than 15 minutes within 2 metres of an individual,

(3) travelling in a car or other small vehicle with an individual or in close proximity to an individual on an aeroplane.

Please note the duties on Employers.

The Stay at Home Guidance is also updated 28 September – you will see this has instructions for household members. The status of the document is Guidance. The document is here.

COVID-19 Working Safely Guidance Updated (England)

Following press announcements yesterday and the day before, the government’s Working Safely Guidance (England) is updated to reflect a change to the 2m rule (to allow a lesser distance) and add guidance on support bubbles.

Information on the updates that have taken place to the Working Safely Guidance (England) and access to the updated documents is here.

Note : physical distancing of 2m continues to be applied in Scotland, Wales and Northern Ireland.

COVID-19 Aviation Health & Safety Protocol (EU)

On 15 April 2020, the European Commission, in cooperation with the President of the European Council, put forward a Joint European Roadmap setting out recommendations on lifting COVID-19 containment measures. I Blog posted about this at the time.

As called for in the Roadmap, on 13 May 2020, the Commission put forward further guidelines on how to progressively restore transport services, connectivity and free movement as swiftly as the health situation allows it, while protecting the health of transport workers and passengers. I also put a Blog post about this.

The Commission Communication mandated EASA (the European Union Aviation Safety Agency) and ECDC (the European Centre for Disease Prevention and Control) to issue jointly more detailed technical operational guidance for the aviation sector.

This document is here.

As the document itself says –

The purpose of this aviation health safety protocol is to provide guidance to airport operators, aeroplane operators and national aviation authorities, as well as other relevant stakeholders, on how to facilitate the safe and gradual restoration of passenger transport. This is subject to the deployment of proportionate and effective measures to protect the health of aviation personnel and passengers, by reducing the risk of SARS- CoV-2 transmission in the airport and on board aircraft as much as practicable.

COVID-19 Restrictions Changes (UK)

In the past days, a number of UK jurisdictions have changed their Restrictions law. This is in order to relax some of the lockdown measures.

The new amendments will be loaded today into the COVID-19 Law List in Cardinal Environment EHS Legislation Registers & Checklists – the COVID-19 Law List is found on the top right accessed from the OHS topic page. [UK and Ireland systems]

As this emergency situation continues, we will be bringing forward COVID-19 Law Checklists (UK jurisdictions). I will advise nearer the time when these will be available.