Data Protection considerations for employees going back to work during Covid-19
Posted on June 09, 2020← Back to Info Centre
Employers are being told to undertake risk assessments before allowing their employees back into the workplace, but what about data protection? There was a surge of information following the roll out of GDPR, workplaces were inundated with warnings of fines and there was a fear of a new culture of claims from individuals regarding their data protection rights.
What we learnt from the GDPR is that special category data involves more consideration by companies because it is sensitive and therefore, on the back of COVID-19, companies should be careful when asking their employees how they are feeling and what their symptoms are. COVID-19 has four main systems as at the date of this article: a fever (high temperature), a continuous cough, loss of sense of smell and loss of taste. But, as an employer you should be careful when asking your employees to report their precise symptoms to you (although their existence is legitimate for the employer to know).
Why? GDPR makes it key for an employer to tell employees what they are doing with their personal data, and why they are doing it. If you are going to record employee information such as their symptoms including their temperature you should make sure that you are updating your privacy or fair processing statement and circulate the update accordingly. Transparency is vital for compliance with GDPR and Data Protection Laws.
Whether you are recording, collecting, seeking, obtaining or otherwise collating (all of which arguably fall within the definition of processing of data under Data Protection law) any special category data you are required to process with a lawful basis pursuant to Article 6 of GDPR and you must have a separate condition for that processing under Article 9. The lawful basis and the condition of both Articles do not have to be linked. It is generally expected that, before processing special category data, a company would complete a risk assessment (or a privacy impact assessment) and consider whether there is any less intrusive way to deal with the issue involving sensitive personal data.
To safeguard against criticism for handling of special category data, it is always recommended that a company document the thought process and decision-making exercise. Upon inspection, be sure that you have recorded your consideration of your employee’s rights and how you would best protect them. There is a balancing act to be done of course, between seeking the special category data from employees in order to best protect your workforce and protecting that personal data you have processed. It is probably not enough to use the global pandemic as a shield and claim that it would be obvious why you are asking questions of your employees regarding their health.
Currently, Government guidance is not to take the temperature of your staff upon their return, but knowledge-by-media informs us that Asia and the USA are readily adopting such a measure. Whilst it is not recommended by Government, it would be difficult to carry out such testing without ensuring robust policy and privacy procedures are in place within a company and you would be wise to seek legal advice as to how such measures would accurately fall within Article 6 and Article 9 of GDPR.
In summary, as much as GDPR gave many a headache back in May 2018, employers should not ignore Data Protection law when considering allowing employees back into the workplace.
Amelia Quinn is an associate advocate at Isle of Man law firm M&P Legal. Specific advice should be sought on particular casesBack to top