|Coronavirus (COVID-19) FAQS|
Disclaimer: These FAQs are intended to provide information and guidance on the HR and employment law implications of the Covid-19 situation. They do not constitute legal advice and should not be relied upon as such.
Data protection during the pandemic
Last updated: 10/09/2020
1. Do we still have to comply with data protection law during the Covid-19 pandemic?
Yes. Data protection law continues to apply during the pandemic and Make UK members can access detailed guidance on data protection legal compliance in the HR and Legal Resources section of our website.
The Information Commissioner’s Office (ICO) has, however, acknowledged that the Covid-19 situation is a public health emergency, so businesses' data protection practices might not meet their usual standard, and has said that it won't penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period. It also reiterates and expands on that message in its publication on its current regulatory approach.
That said, employers should still exercise care when collecting special category data, keeping in mind the basic data protection principles such as proportionality, data minimisation, etc. Some of the issues that may arise in considered in the questions below.
2. What if we receive a subject access request (SAR)?
With many employees working remotely and workplaces closed, employers are likely to experience practical difficulties in conducting the relevant searches for the requester’s personal data, assessing search results and applying exemptions, etc. in order to be able to respond to a SAR within the applicable deadline.
Employers will take some comfort in the statement in the ICO’s guidance on its regulatory approach during the pandemic, although they cannot extend statutory timescales, they will tell people through their own communications channels that they may experience understandable delays when making information rights requests during the pandemic. In addition, the ICO’s more detailed publication on its current regulatory approach recognises that the reduction in organisations’ resources could impact their ability to respond to SARs, where they need to prioritise other work due to the current crisis, and specifies that it can take this into account when considering whether to impose any formal enforcement action.
3. What should we consider from a data protection perspective if we wish to ask employees to undergo Covid-19 tests at the workplace and implement an internal contact tracing system? (Last updated 10/09/2020)
As noted in the FAQs on ‘Health and safety measures’, some employers might wish to request that employees undergo Covid-19 testing on a periodic basis to help avoid exposing their workforce to the virus. The results of such tests would constitute data concerning health, i.e. special category data. Employers who implement Covid-19 testing in the workplace might also wish to establish an internal contact tracing system, similar to the NHS Test and Trace service, but confined to their workplace.
The ICO’s guidance on workplace testing indicates that employers should consider whether testing is necessary given the specific circumstances of their organisation and workplace, taking into account the type of work they do, the type of premises they have and whether working from home is possible, as well as any health and safety requirements that apply to them and any duty of care they owe to their staff. The guidance also recommends that employers ask themselves whether they really need the information; whether testing will actually help them to provide a safe environment; and whether they could achieve the same result without collecting health information. When considering whether a less intrusive approach is possible, the guidance points to potential mitigating measures, such as confining checks to the highest risk roles; limiting who has access to the health data collected (e.g. to qualified medical professionals or individuals under a duty of confidence); and putting in place alternative safety measures such as strict social distancing or home-working where possible.
With regard to making testing mandatory, the guidance cautions employers to consider whether their use of data is fair and proportionate, taking into account any potential negative consequences for the individual and considering whether a voluntary approach could achieve the same or similar results. If testing is to be mandatory, it is essential to first conduct a data protection impact assessment (DPIA) to assess the risks associated with the collection and processing of the data and identify whether there is any less invasive way for the employer to achieve its objectives.
The ICO’s guidance reassures employers that, so long as there is a good reason for doing so, they should be able to process health data about Covid-19. It identifies ‘legitimate interests’ as the most relevant ordinary legal basis for processing. The applicable special category legal basis would be that the processing is necessary to comply with a legal obligation in relation to employment and appropriate safeguards are in place. Here, the applicable legal obligation would be the employer’s duties to the employees concerned under health and safety law. The ICO’s guidance indicates that this legal basis “will cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data”. However, the guidance also notes the importance of ensuring any monitoring is proportionate and cautions that, if an employer can achieve its purposes by less intrusive means, this may not be the case.
As for appropriate safeguards, the employer should ensure it has an ‘appropriate policy document’ in place setting out its approach to processing special category data and that this document is drafted broadly enough to encompass this type of processing.
The guidance also emphasises the importance of transparency and the need to provide appropriate privacy notice information to employees in respect of the data that will be collected in any temperature checks/other tests. It states “Before carrying out any tests, you should at least let your staff know what personal data is required, what it will be used for, and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees with the opportunity to discuss the collection of such data if they have any concerns.” You should consider any potential negative consequences for staff and whether this will mean your use of their data could be unfair. Employees should also be informed about the rights they have in relation to this data, such as their right of access.
In addition, there is a focus on the importance of minimising the amount of data collected, ensuring it is adequate, relevant, limited to what is necessary for the purpose of processing and accurate. With regard to accuracy, for example, the guidance notes that employers should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid. This is particularly relevant for a Covid-19 test – as noted in the Government guidance for employers on employee testing, a virus test identifies whether an individual has Covid-19 at that specific moment in time.
The ICO guidance does not currently deal directly with internal contact tracing systems, but all of the above considerations would be relevant. Conducting a DPIA when designing the system may be a good way of ensuring that it is not unduly intrusive. Such a system will involve asking employees who have tested positive for Covid-19 for details of any colleagues with whom they have had recent close contact. Questions should be carefully designed to ensure that the employer does not gather more information than necessary. Employers will need to take care to limit access to the data so it is only seen by the staff responsible for running the internal contact tracing service. They will also need to ensure that appropriate privacy notice information is provided to all employees.
4. What are the particular data protection considerations where an employer has gathered other Covid-19-related health information about its employees? (Last updated 19/06/2020)
- In the initial stages of the Covid-19 pandemic, many employers will have sought to put together business continuity plans to address how they would deal with the situation going forwards. This may have included putting in place special measures to protect employees who would be particularly at risk if they were to contract the virus (e.g. those who have serious chronic medical conditions such as heart disease, asthma, diabetes, etc. and pregnant women). In order to ensure such measures would be effective, employers would have needed to know which employees fall into these high risk categories, so may have needed to ask employees to declare if they do. Even if the employer has not required the disclosure of specific medical conditions, the cautious approach would be to treat employees’ confirmation that they fall into a high risk group as special category data (as it is still, arguably, data concerning health).
- Where employees have had to self-isolate because they or someone in their household have had symptoms of Covid-19, they may have reported this to their employer. As with the reporting of any other sickness absence, this would involve the employer processing the employee’s special category data – and, where an employee’s self-isolation was due to someone in their household having symptoms, it could involve processing the special category data of another person.
While the Information Commissioner’s Office has indicated that it will take into account the capacity and financial pressures organisations are facing as a result of the Covid-19 pandemic when carrying out its regulatory functions, data protection law continues to apply. The ICO has produced high level guidance outlining six key data protection steps for organisations in the context of the pandemic. The key steps are:
- only collect and use data that is necessary;
- keep the data you collect to a minimum;
- be clear, open and honest with staff about their data;
- treat people fairly;
- keep people’s information secure; and
- ensure staff are able to exercise their information rights.
- In order to comply with the data minimisation principle, when gathering this information it would be appropriate to restrict it to the minimum necessary for the employer’s purpose. E.g. for business continuity planning around high risk employees, the employer could simply ask employees to confirm if they fall into a high risk category, rather than asking them to confirm which specific medical condition they suffer from. And for reporting of self-isolation, it is arguable that the employer only needs to know whether it is the employee or a member of their household who has symptoms (as this will determine the duration of self-isolation) but does not need further details. Employers that did initially gather more information should consider deleting any specific details that are no longer necessary.
- Who needs access to this information? The data minimisation principle also means that employers should limit the disclosure of personal data to those who really need it. For example, if an employer was simply making business continuity plans for the future, it would have made sense to ask employees to inform HR if they fall into a high risk category, with HR instructed only to disclose that information to line managers in the event that the plans were subsequently implemented. By contrast, if the employer intended to implement protective measures for high risk employees immediately, it would have made sense for employees to inform both their line manager and HR that they fall within a high risk group. With self-isolation reporting, it is really only HR and the employee’s line manager who would need to know when an employee is sent home because they have a fever. Employers may now be in a position to look again at who has access to the information, to ensure that access is restricted to those who really need it in the current circumstances.
- The employer should have conducted a data protection impact assessment (DPIA) to assess the risks associated with the collection and processing of the data and identify whether there was any less invasive way to achieve its objectives. The DPIA should have been recorded in writing and retained in order to demonstrate compliance with data protection law. If anything has changed with regard to how the employer processes the relevant data since it was first conducted, the DPIA should be reviewed to assess compliance on an ongoing basis.
- The employer’s special category legal basis for processing this data would be that the processing is necessary to comply with a legal obligation in relation to employment and appropriate safeguards are in place. Here, the applicable legal obligation would be the employer’s duties to the employees concerned under health and safety law. As for appropriate safeguards, the employer should ensure it has an ‘appropriate policy document’ in place setting out its approach to processing special category data and that this document is drafted broadly enough to encompass this type of processing.
- Similarly, the employer should ensure that its employee privacy notice includes sufficient information on how, why and on what legal basis the employer processes employees’ health data and should provide supplementary privacy notice information if anything is lacking. Even if the employee privacy notice does include sufficient detail, as a matter of good practice, in any communication in which it asks employees to declare if they are in a high risk group, or seeks any additional health information relevant to managing the Covid-19 situation, the employer should state its legal basis for processing this data and direct employees to the privacy notice for further information. If an employer processes special category data of another member of an employee’s household in relation to self-isolation reporting, the employer may wish to consider providing privacy notice information to that person, either directly or via the employee.
- Covid-19 data should be kept for no longer than is necessary. The employer should therefore review the information it has gathered once the pandemic subsides. As soon as the legal basis for obtaining and retaining the data no longer applies, the information should be securely disposed of.