Disclaimer: These FAQs are intended to provide information and guidance on the HR and employment law implications of the Covid-19 situation. They do not constitute legal advice and should not be relied upon as such.
Data protection during the pandemic
Last updated: 25/09/2020
1. Do we still have to comply with data protection law during the Covid-19 pandemic? (Last updated 25/09/2020)
Yes. Data protection law continues to apply during the pandemic and Make UK members can access detailed guidance on data protection legal compliance in the HR and Legal Resources section of our website.
The Information Commissioner’s Office (ICO) has, however, acknowledged that the Covid-19 situation is a public health emergency, so businesses' data protection practices might not meet their usual standard, and has said that it won't penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period. However, on 24 September, the ICO published an update on its regulatory approach in response to the pandemic in which it states that it is taking steps towards returning to its approach before Covid-19 – although still accepting that there are caveats and exceptions necessary to reflect the current situation.
Employers should therefore still exercise care when collecting special category data, keeping in mind the basic data protection principles such as proportionality, data minimisation, etc. Some of the issues that may arise are considered in the questions below.
2. What if we receive a subject access request (SAR)? (Last updated 25/09/2020)
With many employees working remotely, employers are likely to experience practical difficulties in conducting the relevant searches for the requester’s personal data, assessing search results and applying exemptions, etc. in order to be able to respond to a SAR within the applicable deadline.
Employers will take some comfort in the statement in the ICO’s guidance on its regulatory approach during the pandemic, although they cannot extend statutory timescales, they will tell people through their own communications channels that they may experience understandable delays when making information rights requests during the pandemic.
However, while the ICO’s previous publication on its regulatory approach expressly recognised that the reduction in organisations’ resources could impact their ability to respond to SARs, where they need to prioritise other work due to the current crisis, and specified that it could take this into account when considering whether to impose any formal enforcement action, its updated regulatory approach, published on 24 September, no longer includes such express reassurance. Indeed, the updated regulatory approach notes that organisations have told the ICO that they have begun to release resources that were diverted to deal with the pandemic back to dealing with information rights requests, with most organisations now able to deal with such requests from members of the public. The ICO expects organisations that have a backlog of such requests to have robust recovery plans in place to ensure they reduce the backlog within a reasonable timeframe.
That said, the updated publication does still acknowledge that organisations are trying to operate during uncertain and challenging times, and the ICO will adjust its regulatory approach accordingly. We therefore think it is unlikely that the ICO would impose heavy fines on organisations that can demonstrate they are doing their best to respond to any SARs they receive in as timely and effective a manner as possible given their circumstances and resources.
2(a). What if we experience a personal data breach? Do we still need to report this to the ICO within 72 hours? (Last updated 25/09/2020)
Under the GDPR, you must inform the ICO of any personal data breach (i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed) without undue delay (and, where feasible, within 72 hours of becoming aware of it), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
The 72-hour timeframe for notifying the ICO of personal data breaches remains in force during the Covid-19 crisis, and the ICO’s publication on its regulatory approach, updated on 24 September, no longer includes the acknowledgment (that appeared in the previous version) that the pandemic “may impact” on organisations’ ability to meet this deadline. It is therefore important to have a solid incident response plan in place so that everyone knows what a data breach looks like and who they should report it to. (This may be a particular concern where you have employees working remotely. The ICO has produced helpful guidance on the data security issues that employers and employees should consider in relation to home working, with tips on areas such as cloud storage, remote applications and email).
Make UK members can find further information on data breach reporting requirements in the HR & Legal Resources section of our website.
3. What should we consider from a data protection perspective if we wish to ask employees to undergo Covid-19 tests at the workplace and implement an internal contact tracing system? (Last updated 10/09/2020)
As noted in the FAQs on ‘Health and safety measures’, some employers might wish to request that employees undergo Covid-19 testing on a periodic basis to help avoid exposing their workforce to the virus. The results of such tests would constitute data concerning health, i.e. special category data. Employers who implement Covid-19 testing in the workplace might also wish to establish an internal contact tracing system, similar to the NHS Test and Trace service, but confined to their workplace.
The ICO’s guidance on workplace testing indicates that employers should consider whether testing is necessary given the specific circumstances of their organisation and workplace, taking into account the type of work they do, the type of premises they have and whether working from home is possible, as well as any health and safety requirements that apply to them and any duty of care they owe to their staff. The guidance also recommends that employers ask themselves whether they really need the information; whether testing will actually help them to provide a safe environment; and whether they could achieve the same result without collecting health information. When considering whether a less intrusive approach is possible, the guidance points to potential mitigating measures, such as confining checks to the highest risk roles; limiting who has access to the health data collected (e.g. to qualified medical professionals or individuals under a duty of confidence); and putting in place alternative safety measures such as strict social distancing or home-working where possible.
With regard to making testing mandatory, the guidance cautions employers to consider whether their use of data is fair and proportionate, taking into account any potential negative consequences for the individual and considering whether a voluntary approach could achieve the same or similar results. If testing is to be mandatory, it is essential to first conduct a data protection impact assessment (DPIA) to assess the risks associated with the collection and processing of the data and identify whether there is any less invasive way for the employer to achieve its objectives.
The ICO’s guidance reassures employers that, so long as there is a good reason for doing so, they should be able to process health data about Covid-19. It identifies ‘legitimate interests’ as the most relevant ordinary legal basis for processing. The applicable special category legal basis would be that the processing is necessary to comply with a legal obligation in relation to employment and appropriate safeguards are in place. Here, the applicable legal obligation would be the employer’s duties to the employees concerned under health and safety law. The ICO’s guidance indicates that this legal basis “will cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data”. However, the guidance also notes the importance of ensuring any monitoring is proportionate and cautions that, if an employer can achieve its purposes by less intrusive means, this may not be the case.
As for appropriate safeguards, the employer should ensure it has an ‘appropriate policy document’ in place setting out its approach to processing special category data and that this document is drafted broadly enough to encompass this type of processing.
The guidance also emphasises the importance of transparency and the need to provide appropriate privacy notice information to employees in respect of the data that will be collected in any temperature checks/other tests. It states “Before carrying out any tests, you should at least let your staff know what personal data is required, what it will be used for, and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees with the opportunity to discuss the collection of such data if they have any concerns.” You should consider any potential negative consequences for staff and whether this will mean your use of their data could be unfair. Employees should also be informed about the rights they have in relation to this data, such as their right of access.
In addition, there is a focus on the importance of minimising the amount of data collected, ensuring it is adequate, relevant, limited to what is necessary for the purpose of processing and accurate. With regard to accuracy, for example, the guidance notes that employers should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid. This is particularly relevant for a Covid-19 test – as noted in the Government guidance for employers on employee testing, a virus test identifies whether an individual has Covid-19 at that specific moment in time.
The ICO guidance does not currently deal directly with internal contact tracing systems, but all of the above considerations would be relevant. Conducting a DPIA when designing the system may be a good way of ensuring that it is not unduly intrusive. Such a system will involve asking employees who have tested positive for Covid-19 for details of any colleagues with whom they have had recent close contact. Questions should be carefully designed to ensure that the employer does not gather more information than necessary. Employers will need to take care to limit access to the data so it is only seen by the staff responsible for running the internal contact tracing service. They will also need to ensure that appropriate privacy notice information is provided to all employees.
3(a). Can and should we share details of employees who have confirmed or suspected Covid-19 with Public Health England and/or our local authority? (Last updated 25/09/2020)
Government guidance on working safely during Covid-19 states that if there is more than one case of Covid-19 associated with a workplace, the employer should contact their local Health Protection Team to report a suspected outbreak. If the local Health Protection Team declares an outbreak, the employer will be asked to record details of symptomatic staff and assist with identifying who they may have been in contact with. In addition, we are aware of some companies receiving letters from their local authority telling them that, as well as details of any confirmed cases, they must also share details of any suspected cases. This is said to be in order to facilitate contact tracing under the NHS Test and Trace service.
Is the request genuine?
As a preliminary point, it is worth noting that any employer that receives a request for disclosure of employees’ details should take steps to ensure that it is a genuine request from the local authority. They could, for example, get in touch with the authority using the contact details on its website to double check that it has indeed been sending out such requests.
Have you conducted a DPIA?
An employer faced with such a request should also consider first conducting a DPIA to identify any risks associated with disclosing the data and ways to mitigate those risks. For example, the risk of the data falling into the wrong hands could potentially be mitigated by transferring it to the authority in encrypted form or with password protection. Although a DPIA is not necessarily mandatory in these circumstances, the ICO’s guidance does recommend that employers consider one if they plan to carry out processing of “sensitive data or data of a highly personal nature”.
What is the appropriate legal basis for disclosure?
With regard to the appropriate legal basis for disclosure of data to the authority, the employer’s ordinary legal basis for disclosing such information to staff could be that this is necessary in its legitimate interest (namely, its interest in cooperating with the public authorities in their management of the pandemic) – and the employer could confirm its thought processes around this by conducting a Legitimate Interests Assessment (LIA) to balance its interests against any competing interests of the employees concerned. LIAs are recommended by the ICO as part of their accountability framework.
The employer’s special category legal basis could be that the processing is necessary to comply with a legal obligation in relation to employment and appropriate safeguards are in place. Here, the applicable legal obligation would be the employer’s duties to all its employees under health and safety law – since the authorities will use the data for contact tracing under the Test and Trace service, and it is that service that would be contacting other employees if it turns out that any of them have to self-isolate as close contacts of an employee who has tested positive for the virus.
This may perhaps sound a little tenuous, but Covid-19 is throwing up a lot of issues from a data protection perspective that companies would probably never have envisaged having to deal with before. The ICO’s guidance on Covid-19 testing and data sharing is reassuring in this regard, as it states that the ‘legal obligation in relation to employment’ legal ground is likely to “cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data”.
As an alternative, we think that it might be possible for an employer to justify the disclosure of confirmed or suspected Covid-19 cases to the authority under the “public health” legal basis for processing special category data. This legal basis can only apply where the processing (i.e. the disclosure) is carried out by or under the responsibility of a health professional, or by someone else who owes a legal duty of confidentiality to the employee. It may be arguable that the employer’s duty of trust and confidence to the employee could satisfy the requirement for a legal duty of confidentiality, although there is no official guidance on this point. The ICO’s guidance on the “public health” legal basis notes that this condition may be appropriate where processing is necessary for (among other things) responding to new threats to public health such as epidemics or pandemics.
Have you informed employees that their data is being shared?
Finally, from a transparency perspective, employers that have been asked to disclose details of confirmed or suspected Covid-19 cases amongst their workforce to the authority should inform the employees concerned – ideally before they make the disclosure. They should identify what data they will be disclosing and the purpose and legal grounds for doing so. Most employers should be able to refer employees back to their general employee privacy notice for other key information such as the employees’ individual rights in relation to their personal data.
4. What are the particular data protection considerations where an employer has gathered other Covid-19-related health information about its employees? (Last updated 19/06/2020)
- In the initial stages of the Covid-19 pandemic, many employers will have sought to put together business continuity plans to address how they would deal with the situation going forwards. This may have included putting in place special measures to protect employees who would be particularly at risk if they were to contract the virus (e.g. those who have serious chronic medical conditions such as heart disease, asthma, diabetes, etc. and pregnant women). In order to ensure such measures would be effective, employers would have needed to know which employees fall into these high risk categories, so may have needed to ask employees to declare if they do. Even if the employer has not required the disclosure of specific medical conditions, the cautious approach would be to treat employees’ confirmation that they fall into a high risk group as special category data (as it is still, arguably, data concerning health).
- Where employees have had to self-isolate because they or someone in their household have had symptoms of Covid-19, they may have reported this to their employer. As with the reporting of any other sickness absence, this would involve the employer processing the employee’s special category data – and, where an employee’s self-isolation was due to someone in their household having symptoms, it could involve processing the special category data of another person.
While the Information Commissioner’s Office has indicated that it will take into account the capacity and financial pressures organisations are facing as a result of the Covid-19 pandemic when carrying out its regulatory functions, data protection law continues to apply. The ICO has produced high level guidance outlining six key data protection steps for organisations in the context of the pandemic. The key steps are:
- only collect and use data that is necessary;
- keep the data you collect to a minimum;
- be clear, open and honest with staff about their data;
- treat people fairly;
- keep people’s information secure; and
- ensure staff are able to exercise their information rights.
- In order to comply with the data minimisation principle, when gathering this information it would be appropriate to restrict it to the minimum necessary for the employer’s purpose. E.g. for business continuity planning around high risk employees, the employer could simply ask employees to confirm if they fall into a high risk category, rather than asking them to confirm which specific medical condition they suffer from. And for reporting of self-isolation, it is arguable that the employer only needs to know whether it is the employee or a member of their household who has symptoms (as this will determine the duration of self-isolation) but does not need further details. Employers that did initially gather more information should consider deleting any specific details that are no longer necessary.
- Who needs access to this information? The data minimisation principle also means that employers should limit the disclosure of personal data to those who really need it. For example, if an employer was simply making business continuity plans for the future, it would have made sense to ask employees to inform HR if they fall into a high risk category, with HR instructed only to disclose that information to line managers in the event that the plans were subsequently implemented. By contrast, if the employer intended to implement protective measures for high risk employees immediately, it would have made sense for employees to inform both their line manager and HR that they fall within a high risk group. With self-isolation reporting, it is really only HR and the employee’s line manager who would need to know when an employee is sent home because they have a fever. Employers may now be in a position to look again at who has access to the information, to ensure that access is restricted to those who really need it in the current circumstances.
- The employer should have conducted a data protection impact assessment (DPIA) to assess the risks associated with the collection and processing of the data and identify whether there was any less invasive way to achieve its objectives. The DPIA should have been recorded in writing and retained in order to demonstrate compliance with data protection law. If anything has changed with regard to how the employer processes the relevant data since it was first conducted, the DPIA should be reviewed to assess compliance on an ongoing basis.
- The employer’s special category legal basis for processing this data would be that the processing is necessary to comply with a legal obligation in relation to employment and appropriate safeguards are in place. Here, the applicable legal obligation would be the employer’s duties to the employees concerned under health and safety law. As for appropriate safeguards, the employer should ensure it has an ‘appropriate policy document’ in place setting out its approach to processing special category data and that this document is drafted broadly enough to encompass this type of processing.
- Similarly, the employer should ensure that its employee privacy notice includes sufficient information on how, why and on what legal basis the employer processes employees’ health data and should provide supplementary privacy notice information if anything is lacking. Even if the employee privacy notice does include sufficient detail, as a matter of good practice, in any communication in which it asks employees to declare if they are in a high risk group, or seeks any additional health information relevant to managing the Covid-19 situation, the employer should state its legal basis for processing this data and direct employees to the privacy notice for further information. If an employer processes special category data of another member of an employee’s household in relation to self-isolation reporting, the employer may wish to consider providing privacy notice information to that person, either directly or via the employee.
- Covid-19 data should be kept for no longer than is necessary. The employer should therefore review the information it has gathered once the pandemic subsides. As soon as the legal basis for obtaining and retaining the data no longer applies, the information should be securely disposed of.