With the spread of COVID-19 across the globe, organisations have been implementing processes and procedures to enable business continuity as far as possible and to safeguard employees and customers against the health threat.
As a result of the crisis, organisations are facing a number of challenges from a data protection and compliance perspective, from ensuring measures are in place to protect data handled by employees working from home to establishing cyber-defence strategies, and ensuring compliance with the different regulatory requirements in the GDPR.
Also in an effort to manage the impact of the COVID-19 outbreak, and to ensure that the decisions being taken are fully informed, organisations may be collecting information from staff members that would not typically be collected.
Managing data subject requests
The UK Information Commissioner’s Office (ICO) has issued guidance for organisations regarding data subject access requests (DSARs).
Whilst the ICO cannot extend statutory timescales for responding to DSARs since they are set down in law by the GDPR, the ICO recognises that unavoidable delays may arise as a direct result of the impacts of COVID-19. Companies are being advised to tell people that they may experience delays when making information rights requests during the pandemic. Lester Aldridge recommends that companies review and manage each DSAR with care.
Rules on sharing data with governments
As confirmed by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), companies can share anonymous data with governments to fight the spread of the pandemic, since anonymous data falls outside of EU data protection laws.
But Lester Aldridge advises companies to take note that anonymisation can be a challenging process as the threshold to qualify data as anonymous is very high. It may require more than just removing phone and device identification numbers.
Health data is subject to stricter GDPR requirements than other types of personal data. According to the EDPB, companies may process employees’ health data for reasons of substantial public interest in the area of public health or to protect an individual’s vital interests. Where a company is acting on the directions of public health authorities to share data it is likely that article 6(1)(c), article 9(2)(i) GDPR and section 53 of the UK Data Protection Act 2018 (the Data Protection Act) will permit the processing of personal data, including health data, as necessary for compliance with a legal obligation to which the company is subject.
Sharing information with other employees
Perhaps the most difficult question is what to do if an employee tests positive for Covid-19. Employers have a duty to protect their staff and it is reasonable to ask employees if they have experienced Covid-19 symptoms or to take a test.
An employer has a legitimate interest in processing this data (the Article 6 ground) and even though it is special category data, has a ground for the processing under Article 9(2) and conditions 1 of Schedule 1 to the Data Protection Act – the processing is necessary to comply with the obligations of the employer.
There must however be a policy in place explaining the employer’s procedures to ensure that the processing complies with the data protection principles (see below) and the policies about the retention and erasure of the data.
The ICO recommends transparency as a key element in compliance. Employees should be told what data will be collected, how it will be used and who it may be shared with.
If any employee tests positive, the employer will have to tell other members of staff that a colleague has tested positive but must avoid naming the individual wherever possible and should not provide more information that it necessary
When sharing COVID-19 data with governments and other organisations, organisations must have the appropriate lawful grounds and follow GDPR principles such as the following non-exhaustive list:
Fairness and lawfulness –have an appropriate legal basis for processing personal data.
Transparency – employees must be informed in a transparent manner about any sharing of their data with the public health authorities or anyone else.
Minimisation – companies should make sure they do not process more data than necessary and only process it for specified and explicit purposes. Organisations may be tempted to collect as much information as possible from individuals relating to the coronavirus outbreak; however, the GDPR requires that organisations only collect as little personal data and/or special category data as is strictly necessary for the purposes being pursued.
As the lockdown eases and employees start to return to work, we would advise employers to:
- Set out a clear policy about COVID – 19 information in the workplace
- Be transparent with employees about how it will operate
- Carry out a data privacy impact assessment on the proposals to collect and share information whether with other employees, the government or public health authorities.
- Be prepared to ask questions and to make further enquiries if you are unsure whether to provide information
Organisations should continue to monitor guidance issued at a European-level by the EDPB, as well as the guidance of the ICO.