GDPR Data Protection MDdm

View Original

COVID-19 Return to work 

Employer Data Protection Law Considerations 

The Data Protection Commission (DPC) recognizes that during the COVID-19 pandemic, employers might need to share or collect information quickly to adapt to the demanding situations faced in order to maintain normal business functions as far as possible. However, the European Data Protection Board (EDPB) has stated:

“even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects”

So we have set out below the key issues and some advice to assist.

KNOW YOUR SUSCEPTIBLE EMPLOYEES

Be aware of employees suffering from underlying health conditions / symptoms by carrying out a risk assessments for all employees.

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Processing health data which is considered special category data may require carrying out a DPIA in order for the employer to make inform choices on any risks and identify possible mitigating  safeguards. 


EMPLOYEE QUESTIONNAIRES AND TEMPERATURE TESTING

The Government Return to Work Safely Protocol (Protocol) does not address Data Protection issues, however the Protocol does require employers to ask a list of questions of employees before they return to work.

Temperature testing is not currently mandatory and should be implemented in line with public health advice. If an employer decides to carry out such testing, consideration must be given to the following:  

  1. Possible DPIA requirements; 

  2. who should carry out such tests; 

  3. false positive results; 

  4. retention of the testing results; 

  5. employee refusal to testing; 

  6. whether less onerous alternatives exist, such as self-testing before attending the workplace.


COLLECTING AND PROCESSING PERSONAL DATA
/ SPECIAL CATEGORY DATA

The key data protection and privacy actions employers should consider are as follows:

  • Questionnaires to be completed by staff in advance of returning to work requesting recent medical information regarding the virus such as symptoms of fever, high temperature etc.

  • Employers have a duty of care and as such would be justified in requiring employees to inform them if they have a medical diagnosis of COVID-19 to allow necessary steps to be taken.

  • Employers should consider their obligations under data protection law when processing health data.

  • Employers will be required to have an appropriate legal basis, whether processing personal data or special category data, such as certain obligations relating to health and safety at the workplace, or to the public interest, etc. 


CONSIDER THE LEGAL BASIS FOR ALL THIS ADDITIONAL PROCESSING

There are very limited situations where employers may rely on consent from an employee for processing personal data due to the imbalance of power.

So, it is important to note that when processing personal data, including health data, suitable safeguards must also be implemented. These may include:

  • Limitation on access to the data;

  • Strict time limits for erasure; 

  • Adequate training for staff to protect rights of data subjects.

 
SUPPLEMENTAL DATA PROTECTION NOTICES

Employers are required to comply with the transparency obligations under GDPR and should have the relevant information available to all data subjects, either by supplementing existing notices or providing a specific notice, about further processing of personal data which details:

  • Categories of data subjects affected;

  • Categories of personal data processed;

  • The purpose and legal basis of the processing; 

  • Information on retention of the personal data.

 
LIMIT THE PERSONAL DATA COLLECTED WHERE POSSIBLE

Only collect the minimal amount of personal data required in order to make a safe assessment.

The employer should only require health information to the extent that national law allows it.


SHARING PERSONAL DATA

Employers are permitted to inform staff about COVID-19 cases and take protective measures but should not communicate more information than necessary.

In cases where it is really necessary to reveal the name of the employee(s) who contracted the virus (e.g. only in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity should  be protected.


RETENTION OF THE ADDITIONAL PERSONAL DATA COLLECTED

Do not retain information for any longer than is required to carry out the purpose for which the data was collected.

As soon as assessments are made, consider if deleting the supplemental personal data is possible and appropriate. For instance, health data gathered from temperature checks should not be retained unless required.


DATA SECURITY

Finally, during this time and with much more focus on remote working, employers should be vigilant and minimise the risks posed by cyber security by reminding staff of current best practices.  The DPC has issued specific guidance in this area.

MDdM can assist you with any aspect of complying with your Data Protection obligations.