The business world is being forced to adapt to new ways of working. Considerations that were not previously as high-risk may now become more prominent in their risk-profile. In response, the Information Commissioner’s Office (ICO) has set out the key data protection steps employers should follow when reopening and employees are returning to a workplace:
- Only collect and use data as necessary
To help you decide if collecting and using employees’ health data is necessary to keep your staff safe, you should ask yourself the following questions:
- How will collecting extra personal information help keep your workplace safe?
- Do you really need the information?
- Will the test you’re considering actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information?
If you can show that your approach is reasonable, fair, and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
- Keep data collection to a minimum
When collecting personal information, including people’s Covid-19 symptoms or any related test results, organisations should collect only the information needed to implement their measures appropriately and effectively.
Don’t collect personal data that you don’t need. In some cases, some information only needs to be held for a short period, and there is no need to create a permanent record.
- Be clear, open and honest with staff about their data
Employees have a right to know how their information will be handled.
Some employees may be affected by some of the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy notice.
- Treat people fairly
If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair. Think carefully about any detriment they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination.
- Keep your employees’ information secure
Any personal data you hold must be kept securely and only held for as long as is necessary.
- Staff must be able to exercise their information rights
As with any data collection, organisations must inform individuals about their rights in relation to their personal data, such as the right of access or rectification. Staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with organisations.
Legal basis for processing
As well as following these principles, if you decide to implement symptom checking or testing, you must identify a lawful basis for using the information you collect.
We recommend that employers avoid reliance on “consent” as the legal basis, as employee consent is unlikely to be valid for data protection purposes as employees do not have a free and genuine choice. The most appropriate legal basis, therefore, will be that the collection of health data is in the “legitimate interests” of the employer, such interests not being overridden by the interests of the employees.
In addition, as health data is one of the “special categories” of personal data, an additional lawful basis is required. Again, we recommend that employers avoid reliance on “explicit consent”, and instead rely on the necessity to process the information to comply with the employer’s health and safety at work obligations.
Finally, if you are processing health data on a “large-scale”, you will also need to conduct a “data protection impact assessment” (DPIA). The GDPR does not define what constitutes large-scale. In essence, this will be determined mainly by the number of employees involved. While a small business is unlikely to be processing employee data on a large-scale, even if you are not strictly required to carry out a DPIA, it is good practice to do so.
Our recommendations
- Provide a Covid-19 specific privacy notice to your employees, as a supplement to your general staff privacy notice.
- Supplement your data retention policy to set out when personal information collected must be reviewed, deleted, or anonymised.
- If you are collecting employee health data, or checking and testing, document your legitimate interests assessment (LIA). This should address the three tests: the purpose test (identify the legitimate interest); the necessity test (consider if the processing is necessary); and the balancing test (consider the individual’s interests).
- Consider how the information will be stored to ensure it is kept secure, and who will have access to the information.
- Do you have an internal policy for a data subject access request (DSAR)? If not, it’s a good time to introduce one to ensure DSARs are handled effectively.
- If you are processing health data on a large scale, or to comply with good practice, prepare a data protection impact assessment (DPIA). This can be done as part of your wider return to work risk assessment.
Get in touch
Should you have any questions about the topics covered in this article or need assistance, please email John Nimmo, Dawn Robertson, Grant Docherty, or Neil Anderson.
