Employers’ primary concern at this time will be the health and safety of their employees in the wake of what has been declared a global pandemic by the World Health Organization. However, employers should still have regard to their data protection obligations. As employers gather information from their employees about their travel and their health, they will be processing personal data and any data concerning their employees’ health will be special category data, which has additional protection under the General Data Protection Regulation (GDPR). At a time when employers may be feeling bombarded by information, we set out below five key steps that employers should take to protect their employees’ personal data. Employers may also find it helpful to read the guidance issued by the Information Commissioner’s Office (ICO) this week: “Data Protection and Coronavirus: what you need to know,” which acknowledges the unprecedented challenges organisations are facing at this time.
1. Identify the lawful basis for processing
Employers must have a lawful basis for processing personal data. To process special category data the GDPR requires both an Article 6 and an Article 9 condition to be satisfied. Given the current situation, it is likely that employers will be able to satisfy Article 9 (2)(b) (processing is necessary for the purposes of carrying out the obligations of the data controller in the field of employment law) and/or 9(2)(i) (processing is necessary for reasons of public interest in the areas of public health). Employers should also consider the bases for processing provided for in domestic legislation (which in the UK are set out in Schedule 1 (Part 1) of the Data Protection Act 2018).
2. Consider what data to collect
In determining what data they should collect in relation to an employee who has Coronavirus (or suspected Coronavirus), employers should be guided by public health authority sources such as Public Health England (PHE) in the UK. In relation to other data which they opt to collect, employers should be guided by the principle of data minimisation and only collect information which is adequate, relevant and limited to what is necessary for the purpose for which it is being processed. In order to assess the risk of Coronavirus within the workplace it is likely to be necessary to collect data relating to an employee’s: symptoms; travel to any Coronavirus “hot zones”; contact with individuals who have Coronavirus symptoms or who have been in Coronavirus “hot zones”; and contact with colleagues and/or relevant third parties such as clients. The ICO has confirmed in the guidance issued this week that it considers it reasonable to ask people if they have visited a particular country, or are experiencing symptoms.
3. Limit sharing data with third parties
It is likely that employers will be required to share their employees’ personal data with local health authorities and/or government agencies. As it stands in the UK, a business with an employee who contracts Coronavirus, will be contacted by the Public Health England Local Health Protection Team to: discuss the case; identify people who have been in contact with that employee; and advise on any actions or precautions that should be taken and the extent to which other staff need to be informed. See “Guidance for Employers and Business about Covid-19” for further guidance. The identity of the affected individual should remain confidential, where possible, although in order to identify who might have come into contact with the individual, it may be necessary to reveal his/her identity to a limited number of third parties.
A business may also need to share Coronavirus-related personal data with third parties such as contractors, service providers or its group companies but should do so only to the extent necessary – for example, a parent company may need the data to implement global health and safety measures or to restrict travel between its offices. Employers should identify the lawful basis for sharing such data and consider whether there is an appropriate data sharing agreement in place.
4. Store data securely and for no longer than is necessary
Given the sensitivity of much of the data that will be processed, employers should ensure it is stored securely and that access to it is strictly limited. It should also be stored for no longer than is necessary for the purpose for which it was processed. Businesses should aim to keep the retention period to a minimum whilst taking into account any local regulatory or legal requirements and the limitation periods for personal injury/health and safety claims.
5. Review/update data protection policies and procedures
Employers should check that what they are proposing to do with any health-related personal data falls within the scope of their employee privacy notice. Transparency is key, so whilst updating privacy notices may not be a priority currently, employers should ensure that employees are aware of what data is being processed, why and with whom it is being shared.
Given the nature of the personal data involved, a Data Protection Impact Assessment (DPIA) would be advisable. A DPIA need not be lengthy or time consuming – at the very least employers should identify and assess key risks and measures to mitigate risk (for example, limiting access to information to certain key individuals and ensuring appropriate security measures are in place).
In the longer term, employers should review any data protection or IT security policies to ensure that they address this type of situation.