Earlier today, I attended my regular meet up of data protection professionals in the south west. A topic of discussion was the balance of employee safety and our obligations to data subjects, specifically in relation to health.
As lockdown eases and people make their way back into the workplace, employers are likely to adopt new preventative methods to keep people safe such as symptom and temperature monitoring or even testing. In doing so, it is important you remember your data protection obligations. I have created the above video to assist you on this subject, alternatively I have written my advice for you to read below.
When you process information that relates to an identified or identifiable individual, you need to comply with the GDPR and the Data Protection Act 2018. That means handling the data lawfully, fairly and transparently.
Personal data that relates to health is more sensitive and is classed as ‘special category data’ so it must be even more carefully protected.
What does this mean in practice?
You may want to record employee temperature upon arrival to the office for example. This is simple enough in principle but in doing so you are processing data on that employee’s health.
Do data protection laws prevent me from processing health data?
No, it does not. It is likely you already store health data in the form of sickness absence forms for example. However, you are legally responsible for the data you collect or process meaning you need appropriate safeguards to protect the data subject.
I’ve determined that processing is in the business’s legitimate interest, is that enough?
No, it isn’t. Health data of employees is a ‘special category data’ meaning employers must also identify appropriate conditions for processing. One such condition is Article 9(2)(b), along with Schedule 1 condition 1 of the DPA 2018 relates to an employer health and safety obligations. However, the activity also has to be proportionate to the risk. As long as there is a good reason for doing so, you should be able to process health data about COVID-19. If you are collecting data that is unnecessary or disproportionate to the risk, this may not be lawful.
How can I show that our approach to testing is compliant with data protection law?
It is a balancing act and just with any other process meaning that records of processing or impact assessments should be completed where necessary. The accountability principle means that you must be able to demonstrate your compliance with DP laws such as additional recording keeping requirements when processing sensitive data.
Your documentation should consider:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
This is not a tick box process. Impact assessments should be working documents meaning they are regularly reviewed and updated in accordance with new processes and learnings. Maintaining records of development of knowledge and understanding of risk is vital.
What can I collect?
We are looking for ‘goldilocks’ amount – not too little and not too much. Remember health data is a special category data and so should be limited to the data required to achieve a certain purpose.
For example, you may want to conduct a well being survey of staff to check for key risk factors such as underlying health conditions that would make them (or a person in their household) high risk. Ask yourself if the question is reasonable and necessary in order to identify the risk. For example, askign whether an employee has a history of diabetes or asthma (known risk factors for Covid-19) may be considered proportionate but a requirement to disclose every medical condition suffered by the person in the past 10 years will likely be excessive.
There is also a risk of disproportionate intrusive intrusive technologies such as high-tech video-surveillance tools. You should also think about whether you can achieve the same results through other, less privacy intrusive, means. If so, then the monitoring may not be considered proportionate. The Surveillance Camera Commissioner (SCC) and the Information Commissioner’s Office (ICO) have worked together to update the SCC DPIA template, which is specific to surveillance systems. This will assist your thinking before considering the use of thermal cameras or other surveillance.
It is also important that the information is updated and is not used as a reason to treat the employee harmfully or unfairly.
What do I need to tell my staff?
Be transparent . There have been recent examples of data subjects becoming very conscious of how their data is being used. “Covid made me” is not going to be a sufficient excuse for implementing data processing changes without sharing this with the people impacted. If you are testing employees for COVID-19 or checking for symptoms, you should be clear about what decisions you will make with that information.
Update your privacy policies, make sure they are accessible, and that staff are informed of the changes you have made. You should also remind them of how data will be used at key points of collection. For example, if you take a staff member’s temperature, it might be worth them being reminded of how this data will be used (or at least where to get this information) and the opportunity to raise any objections without fear of personal detriment such as loosing their job etc.
Finally, once collected, you should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. You have a duty as an employer to keep the workforce safe. You should however protect the individual by not naming the person concerned unless absolutely necessary.
Leanne is a solicitor in our business team. If you want to get in touch with her email firstname.lastname@example.org or call us on 01392 256854.