With the government gradually easing lockdown restrictions and giving the green light for different types of businesses to return to work, employers have obligations to ensure the health and safety of employees while at work. To assist in this, employers may begin processing more health information about employees than was done pre COVID-19. In this article, we look at how employers can do this in a way that complies with data protection laws.
Actions for businesses to protect employees and stay GDPR compliant
With the government proposing to ease the current lockdown restrictions to allow more people to get back to work, many organisations are conducting risk assessments (as recommended by the government) and putting together internal policies and procedures on how to keep individuals safe during the course of their work (we'll refer to this as "internal COVID-19 plan").
For some organisations, it may be appropriate to collect more personal data, especially health information, as one way to maintain the health of the workforce. This means that any internal COVID-19 plan must comply with the requirements under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Indeed, the ICO has recently provided an FAQ style guidance for employers on this topic which can be found here.
We have outlined below the key data protection issues and action items that should form part of an organisation's wider efforts to create a safe work environment.
1. Do a Data Protection Impact Assessment
Before any personal data is collected, organisations should consider the risk to the individual balanced with the need of the organisation/benefit to the individual by carrying out a data protection impact assessment. As health information is classed as a "special category of personal data", this puts it in a higher risk category, so the balance needs to be even more carefully examined to ensure that appropriate protections are in place. A data protection impact assessment is both important evidence for an organisation to demonstrate its compliance with the data protection laws and a practical way for an organisation to work through the GDPR principles and how they need to be interpreted into reality in the context of an organisation's work environment.
As well as involving your data protection officer, wider employee engagement at this stage would be beneficial. The government recommends engagement when putting together the broader COVID-19 risk assessment and data protection law requires engagement where "appropriate", which would include any high risk processing. Even if there is not a high risk, consultation is good practice and will increase awareness, buy-in and trust.
2. Identify a Clear Need for Specific Types of Personal Data
In line with the GDPR principles of "purpose limitation" and "data minimisation", personal data must be collected for a specific purpose and be limited to what is necessary for such purpose.
In practice, this means that organisations should assess and identify the types of personal data that they need to process in order to ensure that employees can carry out their work while complying with social distancing, hygiene and minimal contact with others. For example, is it necessary to use CCTV to ensure that employees comply with social distancing? Is it necessary to take the temperature of employees as they enter the workplace? Should anyone who has come into contact with an employee who tests positive for COVID-19 be notified? Personal data that is a nice-to-have but not necessary should not be collected. So employers must be clear as to why data being processed is necessary to meet the employers' stated objectives and obligations.
3. Identify the Lawful Basis of Processing
Once employers are clear on why data is being processed and for what purpose, they must ensure that this falls within one of the lawful bases of processing as provided in the data protection laws.
For processing standard types of personal data (i.e. such as name and contact details), employers can often rely on "its legitimate interest". Employers could also use compliance with a legal obligation that they owe to employees to provide a safe working environment.
For health information and other types of special categories of personal data, employers can rely on the lawful basis of carrying out obligations as an employer, including health and safety.
For some employers, and depending on context, it may be relevant to consider processing on grounds of substantial public interest, or medical diagnosis or public health.
Note that employers should not ask their employees to provide their "consent" to the provision of their personal data as consent from employees is very unlikely to be valid due to the imbalance in power of the employer-employee relationship.
4. Provide a Privacy Notice
If your standard privacy notice to employees does not cover the personal data that you want to process as part of your internal COVID-19 plan (which is likely to be the case for most organisations given the unprecedented nature of this public health emergency), then an additional privacy notice should be drafted that explains the data processing activities taking place under the internal COVID-19 plan.
In particular, if you are testing employees for COVID-19 or checking for symptoms, you should be clear about what decisions you will make with that information.
Employers should provide the relevant privacy notice to the employees before any personal data is collected in a way that is clear and easily accessible (for example, by posting it on the internal HR hub with communications to draw employees' attention to it). It would also be helpful from a compliance perspective (and also to encourage more active engagement) to invite employees to provide their feedback and share any concerns they may have.
5. Consider Confidentiality and Security
We appreciate that keeping staff informed about potential or confirmed COVID-19 cases amongst colleagues is important. However, you should avoid sharing actual names of individuals where possible, and you should not share more information than is necessary for the purpose of ensuring their safety. Such disclosure of identity may cause harm or distress (mental or physical) to the individuals concerned.
Given the sensitivity of the personal data being collected, organisations should take care to store the data in a secure way and only permit authorised personnel to have access.
Where your employees need to interact with others (the public or employees of other organisations) you may need to consider sharing information about potential or confirmed COVID-19 cases outside of your organisation. Such sharing should only be done where it is necessary for the organisation to meet its objectives, after employees are told about the sharing in the privacy notice and using a secure transfer mechanism to disclose the data. For repeated sharing, it may be wise for organisations to put in place a data sharing agreement with the other party to set out the legal responsibilities between them formally.
6. Document the Measures Taken
Organisations should appropriately document any measures implemented and the decision-making process in order to meet the standard of accountability. This could form part of the documentation in your internal COVID-19 plan or be kept as part of your data protection governance and records.
In particular, if processing health data, organisations must consider:
- Putting in place an "Appropriate Policy Document", which should deal specifically with the collection and processing of health data for this particular COVID-19 purpose;
- Updating the organisation's "Records of Processing Activities" to include any new data that will be processed; and
- Keep records of your "Data Protection Impact Assessment" in particular if the processing of data for COVID-19 purposes represents a high risk to individuals affected by this processing activity.
The ICO recently stated that during this COVID-19 pandemic it will approach enforcement "in an empathetic and pragmatic way". While it is encouraging to see that the ICO recognises the difficulty that all organisations are currently facing, this should not be mistaken as a "free pass" to disregard the requirements under the data protection laws. The fact that the regulator has recently provided guidance on the subject of workplace testing goes to show that this is an area of interest.
We appreciate that it is a challenge for many organisations to get to grips with an unprecedented, changing situation. However, the rules that apply from a data protection perspective have not changed and employers must apply those rules to the new context of a pandemic. Given the changing nature of the disease and government guidance, we recommend that organisations regularly review the measures carried out and make changes where necessary.