A disease that few of us had even heard of until recently has now become the main topic of conversation in workplaces and homes.
Given how quickly COVID-19 can spread it’s no surprise that employers are introducing measures to prevent the disease causing serious problems to their day to day activities as well as taking steps to protect the health of their employees. Regrettably one of the consequences of the heightened public health concerns has been the cancellation or postponement of many events. Bates Wells is not immune to this and we are currently postponing the Data Privacy Conference for Charities that we’d hoped to hold in June.
Where organisations take steps to gather information on employees and visitors to their premises (e.g. recent travel information), they are going to collect personal data. Some of this potentially will be special category data (i.e. health information) which they should use in compliance with data protection law. In times of acute public concern like this, data protection law should not stop people acting to protect themselves and others. However, understandably there can be a number of questions that frequently come up when thinking through the implications of how to comply with data protection requirements.
1. What information can we collect?
You should only collect information that you really need. In the current circumstances, however, asking employees where they are going on holiday or where they’ve been is increasingly a reasonable question to ask. Knowing that an employee is returning from a Category 1 or Category 2 country or area is key to being aware of the risk to that employee and their colleagues if they return to work.
But an employer doesn’t need to know a full medical history of an employee or a visitor to its premises. However, you could legitimately ask an individual for confirmation of whether they’ve travelled to certain countries or been in touch with anyone else who has. Likewise, you can ask an individual whether they are experiencing flu-like symptoms.
Some employers are also collecting more specific health information such as body temperatures of employees or visitors. While the data protection authorities in France and Italy have stated that employers should not collect this type of information from employees, the Information Commissioner in the UK has not specifically prohibited this. However, you’d need to be able to justify why collecting body temperature or engaging in other activities monitoring employees’ health is justified. Any systematic, regular and widespread collection of employee health information by an employer will be harder to justify.
2. How should we collect it?
Typically you can ask an individual to complete a form which asks certain questions. If you are using a form, you should think about how you can also provide the individuals with access to your privacy notice, whether through a short form privacy notice attached to the form, or a document that reflects the full requirements under the GDPR.
However, employers should be wary of using a consent form due to the high standard of consent now required under the GDPR and the practical difficulties of obtaining a valid consent from an employee.
An alternative approach is to consider your legal analysis where:
- You rely on the legitimate interest ground under Article 6
- You rely on any of these three conditions under Article 9 for the collection and use of any health information: (i) processing necessary for carrying out obligations under employment law (e.g. providing a safe working environment for employees); (ii) processing necessary for the purposes of preventative or occupational medicine and for the assessment of the working capacity of the employee; and/ or (iii) processing necessary for reasons of public interest in the area of public health such as protecting against serious cross-border threats to health.
3. How should we use it?
The information you collect on individuals should only be used for the specific purpose for which you’ve collected it – which will usually be to protect the workplace from infection and potentially notify individuals should you become aware of a subsequent infection.
The information should be held securely and only retained for the particular purpose of collection. So, in due course, you should consider securely deleting it as and when the concerns around COVID-19 subside.
4. Can we share this information?
It may be necessary to share information about an individual’s possible infection, if they’re self-isolating or if they have been tested as positive. It may also be necessary to alert those who have had recent contact with them.
But you should only disclose the name of someone who’s infected or at risk of infection when it is necessary to do so. For instance, if you know an individual who attended a particular seminar has been tested as positive, you can contact all those who attended and let them know of the possible risk to them without mentioning the name of the individual who now has the disease.
It may also be necessary to share information with public health authorities and healthcare professionals. The GDPR will not stop you from doing so.
5. How can we demonstrate compliance?
You should consider whether you need to update your privacy notice if you are collecting this information or introduce a new specific privacy notice for information collected related to COVID-19 concerns. If you are relying on legitimate interest, it is prudent to carry out a legitimate interest assessment.
Remember in the UK there’s also a requirement under the Data Protection Act 2018 to implement an appropriate policy document when collecting special category data in many instances.
You can also avoid collecting this information in many cases if you encourage employees or visitors to proactively take responsibility for their own health and to approach the health authorities directly if they are concerned that they may be infected.
6. Has the ICO provided any guidance?
Yes, the ICO published guidance on 12th March available here.
The ICO’s guidance also provides reassurance for those dealing with a drain on resources due to COVID-19 concerns. For instance, the ICO comments on those handling Subject Access Requests who are worried about meeting the timelines required.
The Irish Data Protection Commissioner has also published guidance available here.
If you have any questions, please contact Victoria Hordern.