Employers’ Guide to Data Protection during COVID-19
With more businesses set to return to work from 4 July 2020, employers are asking whether they are allowed under the Data Protection Act 2018 (the "Act") to ask employees about their health.
Under the Act, health data is "special category data" and is afforded additional protections.
The Information Commissioner, Elizabeth Denham has said:
"Data protection does not stop you asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law - transparency, fairness and proportionality - are applied."
In order to assist businesses, the Information Commissioner’s Office (ICO) has published six key data protection steps concerning this use of health information:
- Only collect information that is necessary
The key here is being able to demonstrate that what you have done is reasonable, fair and proportionate. Do you need the information in order to keep your employees safe? Could you achieve the same result without collecting personal information?
- Keep data to a minimum
If you don’t need data, don’t collect it. Only keep it for as long as necessary – which could be a very short time. Only collect what you need to implement your protective measures appropriately and effectively.
- Be clear, open and honest with staff about their data
Notify staff about the data you will be using and what the implications for them may be. It may impact on whether staff can work or not, so you need to be open and up front about this. You should also tell staff how long you will be holding data for and if you intend to share it with any other parties.
- Treat people fairly
Where you make decisions about people based on health information, you must do it fairly. Consider the detriment they may suffer and make sure the way you use the information does not result in any form of discrimination.
- Keep information secure
Information may be collected by various people within the organisation. It needs to be stored securely and, as mentioned above, only kept for as long as necessary.
- Staff must be able to exercise their information rights
This remains key to data protection and applies to any health information collected as a result of the COVID-19 pandemic. Organisations need to inform staff about the rights they have and how to exercise them and how to raise any concerns.
If your new return to work safety measures do include testing staff or checking symptoms, you also need to follow additional steps:
6.1 Identify a lawful basis for collecting and using the data
This needs to be assessed for each organisation, but may be "public tasks" for public authorities or "legitimate interest" for other organisations. As health data is special category data, you also need an additional reason, which is likely to be the "employment" ground.
6.2 Carry out a data protection impact assessment if health data is processed on a large scale
Please note that whilst staff can be encouraged to engage in symptom checking or testing procedures, making these mandatory needs to be considered in the light of employment law generally and their contracts. The above steps apply to information that is legitimately collected. If you need further advice on what is permissible then please do get in touch.
Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.
This blog was posted some time ago and its contents may now be out of date. For the latest legal position relating to these issues, get in touch with the author - or make an enquiry now.