Since the onset of the COVID-19 pandemic, employers have faced increased obligations to ensure the health and safety of employees, whether working on-site or at home. Employers may find themselves implementing new internal policies and procedures relating to health and safety in order to comply with Government guidance. Such procedures may involve performing regular temperature checks, handling health records, and asking employees to provide new personal information. In light of these invasive privacy measures, employers are processing an ever-increasing amount of health information about employees, and must give renewed consideration to any personal data being stored. Importantly, an employer who sets out to take a responsible approach to data protection will be better placed to maintain employees' trust and loyalty.
COVID-related internal measures must comply with the retained EU law version of the General Data Protection Regulation ("UK GDPR") and Data Protection Act 2018 ("DPA") requirements. Compliance ensures employee personal data is handled responsibly and does not prevent employers from taking the necessary steps to keep employees safe.
Employers are required to have a lawful basis to process personal data and will generally rely on the "legitimate interest" basis which allows the processing of data when it is "necessary for the purposes of the legitimate interests" of the employer (Article 6 UK GDPR). Given that health information is "special category" personal data, employers must also identify and document an appropriate Article 9 condition before processing any health data. The relevant Article 9 conditions are likely to include the requirements that:
- processing is necessary to comply with employment law obligations, such as health and safety laws and laws recently enacted by governments in response to the coronavirus outbreak ("employment condition"); or
- processing is for reasons of public interest in the area of public health ("public health condition").
Whilst it is important for there to be a proper basis for processing data, UK GDPR often imposes additional obligations on employers depending on the information being processed. In light of UK Information Commissioner ("ICO") guidance on data protection during the pandemic, issued earlier last year, we have outlined the key areas employers should address to ensure they continue to meet their data protection obligations under COVID-19.
Data Protection Impact Assessments ("DPIA")
When processing information is likely to result in a high risk to the 'rights and freedoms' of individuals an employer should consider undertaking a DPIA. Undertaking an assessment will allow an employer to focus on the processing in question and can be used to demonstrate observance of some of the wider obligations of accountability and transparency which flow through the data protection regime. Although DPIAs are mandatory only in certain circumstances, nothing prevents employers from undertaking them on a discretionary basis, and they can be a useful tool in this regard. A DPIA can then be carried out in relation to each activity being proposed (e.g. testing or symptom-checking). The ICO have produced a template that organisations may wish to use. In any case, a DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
Employers must keep a record of DPIAs and update records of processing activities to account for the processing of new health data. It can also be helpful to put in place a policy document outlining how health data is collected and processed during the COVID-19 pandemic.
Medical testing and temperature checks
Employers must be clear about the purpose of any testing or symptom-checking and whether processing of such data is necessary for that purpose. The ICO has emphasised that employers should not collect or share irrelevant or unnecessary data relating to tests or checks. Employers can limit the amount of special category data being processed by confining collection of health data to the highest-risk roles. Access to such health data should be limited to those in appropriate positions of responsibility or medical personnel. Provided the approach to processing data is reasonable, fair and proportionate, employers may be able to rely on the DPA Schedule 1 employment condition for processing testing and symptom-related health data.
Employers must take care when using intrusive technologies such as thermal cameras. Any ongoing monitoring of employees and results collected from monitoring need to be necessary and proportionate. Employees must be clearly informed of such monitoring before it takes place (e.g. in an additional privacy notice). The Surveillance Camera Commissioner ("SCC") and ICO have published an updated SCC Data Protection Impact Assessment template aimed at assisting employers in their decision to use pandemic-related surveillance such as thermal cameras.
Before testing and symptom checking, employers must consider whether any less privacy-intrusive methods can be put in place to protect employees.
Questionnaires, health records and diagnosis
Employees may be required to inform their employer if they, or anyone else in their household, have been diagnosed with COVID-19. Employers can also require employees to notify them where they are experiencing symptoms. Where such information is stored in employee health records, employers should ensure the use of data is necessary and relevant for the stated purpose.
This type of health data may be processed under the employment condition or public health condition. Under the UK GDPR "data minimisation" and data security principles, employers should ensure that data collected from questionnaires is stored securely and kept at the minimum level needed to protect employees. It is important to ensure any systems containing health data have adequate security and access controls. Employers must take account of the duty of confidentiality owed to employees, and take care to avoid any harmful treatment of employees taking place as a result of the data collected (such as dismissals). The information should also only be retained for a limited period and deleted when it is no longer needed.
One particularly difficult issue will be whether or not to maintain a record of which employees have been vaccinated. Employers may be able to rely on the 'legitimate interest' basis for processing, but would be wise to set out how they have assessed this and concluded that such a record is appropriate; they will also need to establish a valid condition for processing. If an employer decides that keeping a record of vaccinations is justified, they should be as transparent as possible with staff as to the reasons behind why they are harvesting this information, what they will do with it, and how long they will keep it for.
Sharing health information with authorities
An employer is obliged to inform health authorities where it has two or more confirmed COVID-19 cases (an 'outbreak'). In the event that employers are required to share information with health authorities, they can rely on the DPA Schedule 1 public health condition (to the extent that such notification involves the processing of personal data). Any information disclosed should be limited to what is necessary and care should be presented on an anonymised basis.
Employers should ensure employees are able exercise their information rights in relation to their health data. Employees have the qualified rights to access their own personal data, to have inaccurate data rectified, and to have data erased. Employers may wish to set up secure portals or self-service systems which allow employees to manage and update their health data.
It is important that employers remain transparent in respect of how any new health data is processed. Employees must be informed of what personal information is required, what it will be used for, who it will be shared with and how long any such data will be retained for.
Risks of breach
The ICO may issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, in the event of an infringement. It also has the power to issue warnings (including bans on data processing); order rectification, restriction or erasure of data; and suspend data transfers to third countries. Employees (and any other data subjects) may also bring claims directly against their employer, under Article 79 UK GDPR, along with the right to receive compensation for material or non-material damage suffered. While it may be unlikely that the ICO will issue fines anywhere close to the maximum penalties set out above for employers who inadvertently fall foul of the statutory regime, employers should consider any reputational consequences that publication of enforcement action may have on their organisation. Where employers do business in the UK and EEA, they may also be at risk of enforcement actions or complaints in several jurisdictions across the EEA as well as the UK arising out of the same incident.
If you would like to discuss any of the issues raised in this article, please contact a member of our Employment or Data Protection team.