Consider your GDPR obligations when employees return to work during the pandemic

GDPR Coronavirus at work

Share This Post

With the Coronavirus lockdown slowly lifting across England (and soon the rest of the UK), employers are now tackling a new set of data protection challenges as part of their attempts to allow employees to return to work safely. Whilst the guidance from government’s advice is (quite rightly) focused on measures to provide a safe working environment and what you should be doing if employees can’t work remotely, maintain 2m apart whilst working, etc. some employers are also consider the possibility of processing COVID-19 test results as a way of protecting employees and their customers.

So, if your workforce is returning to work and you’re planning on processing COVID-19 test data or other health information, what do you need to think about?There are a number of GDPR factors that need to be considered:

  • All processing must be lawful, meaning you have to have a lawful basis for processing. This means you will need to be clear on what the lawful basis is for processing the health data, whether that’s COVID test results, temperature checks or other health information. Which lawful basis you choose will depend on a number of factors including who you are and what you plan on doing with the data. So, for example, if you are obliged by law to collect and process health information then “legal obligation” may be the most appropriate lawful basis. If this isn’t the case, then the ICO suggests it may be legitimate interest, but you will need to carry out a legitimate interest assessment to demonstrate you have considered this carefully. What is clear is that you can’t rely on “consent” as consent is rarely an appropriate lawful basis in the context of employment because of the perceived power employers have over employees; and, “vital interests” will not be relevant as this only applies if you can’t ask the individual for their consent…
  • Furthermore, health data (which will include health test results and temperature check results) are considered “special category data” meaning that as well as a lawful basis for processing, you also have to ensure that one of the “Article 9” special conditions applies. In the field of employment, this is probably the condition relating to employment and associated employer health and safety obligations (Article 9(2)(b)) – this will also require you to have an appropriate policy document in place covering your processing activity, retention periods, etc.
  • You should also consider how you will use and keep the data. Is there a need to keep the data over a long period of time? Will it become part of an employee’s health records? What if the employee is off sick, do you record information in their employee absence file? etc. Generally speaking, you will need to determine what you think is the most appropriate length of time to maintain the data. So, for example, if you’re testing employees’ temperature when they arrive at work each day, do you need to actually record anything, particularly if there is no high temperature that might lead to sending the employee home? Remember, you should only process the minimal amount of data you need and only retain it for as long as it would be lawful for you to do so (if you have no need to keep it, then you should delete it)
  • The ICO requires you to document your compliance (this is the “accountability” principle in the GDPR) and this includes demonstrating you have considered all the risks of the processing, when you’re processing new data for the first time – this is what a Data Protection Impact Assessment (DPIA) is for. So, assuming you’re not normally recording medical test results or temperature readings for your employees you will need to carry out a DPIA to identify the risks and how you can mitigate those risks
  • You should also consider carefully about what you may say to other employees. So, for example, if an employee who’s been working has tested positive for Coronavirus, can you tell their colleagues? Health and safety requires you to maintain the safety of your employees, so it will be important to tell them about any Coronavirus risks, but you should try and avoid divulging the identity of the employee (although that may be obvious from their absence)
  • Depending on what checks you’re carrying out, you also need to be careful if you’re using technology that could be considered intrusive, such as thermal camera or other means of temperature checks of employees. There are strict rules about monitoring employees and you will need to ensure this processing is proportionate and in line with employees’ expectations. If there is an easier way for you to achieve the same results, you should be looking at those methods instead.
  • Finally, transparency is key – all your employees have the “right to be informed”, so they should understand that you’re collecting this data and what you will be doing with it, and what outcomes may arise from your processing of the data. This means you need to consider carefully the best way of communicating this, whether updating your employee privacy policy or introducing a specific statement for this specific scenario

So, in conclusion, whilst you’ll already be battling with the UK government’s guidance on returning to work under lockdown, don’t forget your GDPR challenges as well. If you’re processing COVID related information about your employees, you’re processing their personal “special category” data and this is covered by data protection law – the last thing you need, on top of everything else, is a disgruntled employee who is not clear what you’re doing with their health data, who complains about you!

And, if you need help, we’re here for you.

Our new helpline services are designed to offer help and support regardless of your size of business or where you are with your GDPR compliance. Our GDPR DIY helpline gives you access to our online Knowledge Centre resources, plus help via a Facebook support group so you can get everything in place yourself; our GDPR UNLIMITED helpline not only provides unlimited email and phone support and access to the Knowledge Centre, but also up to 4 hours “hands-on” help so we can do some of the hard work for you or even be your DPO for you. And, if you’re not looking for ongoing support, there’s always our PAYG (pay-as-you-go) option, where you pay by the hour for the help you need, whenever you need it.


More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy