While the coronavirus outbreak is spreading throughout Europe, many public and private organisations are taking measures to contain the virus by putting in new ways of working and also asking for a lot more information from their staff.
The largest physical change is most companies are now allowing their staff to work from home (where possible).
The additional information businesses now need, includes asking staff to communicate to their Human Resource contact if they have any COVID-19 symptoms, if they have been tested positive/negative for COVID-19. Travel information is also being requested around staffs with requests to complete a form to declaring if they have travelled to/from specific areas or if they have been in contact with people affected by the virus. Staff who have travelled or whom are considered at ‘risk’ due to potential contacts, are being asked about their current health status.
In performing these actions, companies are collecting special categories of personal data (e.g. health data) from their employees, which under the GDPR need special protections; hence, data controllers must ensure the protection of the personal data of the data subjects.
The Data Protection Commission (DPC) issued guidance to help companies understand how to balance between protecting employee’s privacy and allow for the provision of healthcare and the management of public health: https://www.dataprotection.ie/news-media/blogs/data-protection-and-covid-19
Key points are:
- companies may process health data, under Art 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 once suitable safeguards are implemented (e.g. access limitation, strict time limits for erasure, adequate staff training);
- employers have a legal obligation to protect their employees (under the Safety, Health and Welfare at Work Act 2005) This obligation together with Art 9(2)(ii) GDPR provides a legal basis to process personal data, where necessary and proportionate;
- all personal data processed must be confidential (e.g. communicate to staff that a case of Covid-19 was identified within the company without disclosing the identity of the person affected);
- it is permissible to process personal data to protect the vital interests of an individual where necessary (e.g. incapable of giving their consent); and
- principles of transparency, confidentiality, security, data minimisation and accountability apply.
The DPC also published the below on how to protect personal data when working remotely: https://dataprotection.ie/en/news-media/blogs/protecting-personal-data-when-working-remotely
It contains sound advice on Devices, Emails and Cloud/Network access which all align to our existing policies but might be worth refreshing employees as they may find themselves in a given situation for the first time.
What companies should review and take in consideration:
- Employees’ Privacy Notices: update your “employees’ privacy notice” to include this specific processing of health data or consider to draft an ad-hoc employees’ privacy notice;
- Visitors Privacy Notice: if you collect information about visitors or other individuals who are not your employees, make sure you have a privacy notice for them;
- Register of Processing Activity (RPA): review your RPA to include this new process;
- Forms: review all forms used to collect personal data related to COVID-19 for data minimisation and transparency purposes;
- Training: make sure that who is dealing with the COVID-19 data has received the appropriate training required for handling special categories of personal data;
- Access control: restrict the access of health data; and
- Retention: consider how long you need to store any additional data collected.