With the Coronavirus lockdown slowly lifting across England (and soon the rest of the UK), employers are now tackling a new set of data protection challenges as part of their attempts to allow employees to return to work safely. Whilst the guidance from government’s advice is (quite rightly) focused on measures to provide a safe working environment and what you should be doing if employees can’t work remotely, maintain 2m apart whilst working, etc. some employers are also consider the possibility of processing COVID-19 test results as a way of protecting employees and their customers.
So, if your workforce is returning to work and you’re planning on processing COVID-19 test data or other health information, what do you need to think about?There are a number of GDPR factors that need to be considered:
- All processing must be lawful, meaning you have to have a lawful basis for processing. This means you will need to be clear on what the lawful basis is for processing the health data, whether that’s COVID test results, temperature checks or other health information. Which lawful basis you choose will depend on a number of factors including who you are and what you plan on doing with the data. So, for example, if you are obliged by law to collect and process health information then “legal obligation” may be the most appropriate lawful basis. If this isn’t the case, then the ICO suggests it may be legitimate interest, but you will need to carry out a legitimate interest assessment to demonstrate you have considered this carefully. What is clear is that you can’t rely on “consent” as consent is rarely an appropriate lawful basis in the context of employment because of the perceived power employers have over employees; and, “vital interests” will not be relevant as this only applies if you can’t ask the individual for their consent…
- Furthermore, health data (which will include health test results and temperature check results) are considered “special category data” meaning that as well as a lawful basis for processing, you also have to ensure that one of the “Article 9” special conditions applies. In the field of employment, this is probably the condition relating to employment and associated employer health and safety obligations (Article 9(2)(b)) – this will also require you to have an appropriate policy document in place covering your processing activity, retention periods, etc.
- You should also consider how you will use and keep the data. Is there a need to keep the data over a long period of time? Will it become part of an employee’s health records? What if the employee is off sick, do you record information in their employee absence file? etc. Generally speaking, you will need to determine what you think is the most appropriate length of time to maintain the data. So, for example, if you’re testing employees’ temperature when they arrive at work each day, do you need to actually record anything, particularly if there is no high temperature that might lead to sending the employee home? Remember, you should only process the minimal amount of data you need and only retain it for as long as it would be lawful for you to do so (if you have no need to keep it, then you should delete it)
- The ICO requires you to document your compliance (this is the “accountability” principle in the GDPR) and this includes demonstrating you have considered all the risks of the processing, when you’re processing new data for the first time – this is what a Data Protection Impact Assessment (DPIA) is for. So, assuming you’re not normally recording medical test results or temperature readings for your employees you will need to carry out a DPIA to identify the risks and how you can mitigate those risks
- You should also consider carefully about what you may say to other employees. So, for example, if an employee who’s been working has tested positive for Coronavirus, can you tell their colleagues? Health and safety requires you to maintain the safety of your employees, so it will be important to tell them about any Coronavirus risks, but you should try and avoid divulging the identity of the employee (although that may be obvious from their absence)
- Depending on what checks you’re carrying out, you also need to be careful if you’re using technology that could be considered intrusive, such as thermal camera or other means of temperature checks of employees. There are strict rules about monitoring employees and you will need to ensure this processing is proportionate and in line with employees’ expectations. If there is an easier way for you to achieve the same results, you should be looking at those methods instead.
So, in conclusion, whilst you’ll already be battling with the UK government’s guidance on returning to work under lockdown, don’t forget your GDPR challenges as well. If you’re processing COVID related information about your employees, you’re processing their personal “special category” data and this is covered by data protection law – the last thing you need, on top of everything else, is a disgruntled employee who is not clear what you’re doing with their health data, who complains about you!
And, if you need help, we’re here for you.
Our new helpline services are designed to offer help and support regardless of your size of business or where you are with your GDPR compliance. Our GDPR DIY helpline gives you access to our online Knowledge Centre resources, plus help via a Facebook support group so you can get everything in place yourself; our GDPR UNLIMITED helpline not only provides unlimited email and phone support and access to the Knowledge Centre, but also up to 4 hours “hands-on” help so we can do some of the hard work for you or even be your DPO for you. And, if you’re not looking for ongoing support, there’s always our PAYG (pay-as-you-go) option, where you pay by the hour for the help you need, whenever you need it.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR