As the country starts to consider steps to enable a return to work, employers and occupiers of buildings will be faced with difficult, even stark, choices about who to admit to premises, and how. Some form of social distancing is likely to remain in place, but even more importantly, it is going to be necessary to ensure that those who do return to work, or those who are allowed into others' work places, are free from coronavirus.
Employers and occupiers will want to consider who can be privy to information about the health of those coming into a building, and may also want to explore ways of fairly and safely excluding those who may be infectious. Excluding someone from a work place, or treating them differently to others on the basis of their health, is potentially a highly intrusive and discriminatory act, and a significant interference in their rights and freedoms, however justified.
All of this will require careful planning but, to the extent that personal data about people's health is involved, it will also require an equally careful analysis of the data protection implications. This is where undertaking a "data protection impact assessment" (DPIA) can be not just a useful risk-assessment tool, but also constitute a strict legal obligation. Article 35 of the General Data Protection Regulation (GDPR) mandates a DPIA where "a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons".
The Information Commissioner's Office (ICO) has this week confirmed that employers and occupiers are likely to need to undertake DPIAs as lockdown relaxes. The advice of a data protection officer (where one has been appointed) should be sought, but GDPR also requires that a DPIA involve:
- a systematic description of the envisaged processing operations and the purposes of the processing;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.
It's imperative that businesses are able to operate with a semblance of normality as quickly as possible, but we have to accept that for the foreseeable future this is going to be far from "business as usual".