28.09.2020
In the unfortunate event of an actual or suspected Covid-19 outbreak at a workplace, data protection is probably the last thing on the employer’s mind. However, an employer in these circumstances may find that it needs to disclose details of the actual or suspected cases of Covid-19 – both to the rest of its workforce and to external third parties. Below, we consider the data protection implications of sharing such information.
Handling an outbreak may involve data sharing
Government guidance on working safely during Covid-19 states that if there is more than one case of Covid-19 associated with a workplace, the employer should contact their local Health Protection Team to report a suspected outbreak. If the local Health Protection Team declares an outbreak, the employer will be asked to record details of symptomatic staff and assist with identifying who they may have been in contact with.
The employer will also need to inform its staff of cases of Covid-19 in the workplace in order to comply with its general duty of care towards them and its obligation to ensure their health and safety.
In addition, we have had reports of member companies receiving letters from their local authorities informing them that they must inform the local Health Protection Team in the event of not just confirmed Covid-19 cases on their premises, but also suspected cases.
Covid-19 status counts as special category data
The fact that an employee has tested positive for, or is suspected of having, Covid-19 would constitute special category data, as it is data concerning the employee’s health. The GDPR places more restrictions on the processing of special category data than on the processing of ordinary personal data. For example, the employer must be able to identify one of the additional special category legal grounds for processing such data – some of which require additional safeguards to be put in place, such as an ‘appropriate policy document’ setting out the employer’s approach to processing special category data. Depending on the circumstances, the employer may also be required to conduct a Data Protection Impact Assessment (DPIA) before carrying out the processing. In addition, as with all processing of personal data, employers must ensure that they are transparent about what they are doing, providing relevant information to employees via a privacy notice. While many employers may have a general employee privacy notice that is broad enough to cover the processing of personal data related to Covid-19, it may still be advisable to provide employees with more detailed or updated information specific to the processing concerned. Employers will need to bear these requirements in mind when sharing information about employees’ Covid-19 status.
Telling staff about Covid-19 cases
As noted above, an employer would be expected to inform its staff if there are confirmed Covid-19 cases at the workplace. The employer’s ordinary legal ground for disclosing such information to staff could be that this is necessary in its legitimate interest (namely, its interest in maintaining a safe and functional workplace). Its additional special category legal ground could be that the processing is necessary to comply with a legal obligation in relation to employment and appropriate safeguards are in place. Here, the applicable legal obligation would be the employer’s duties to the employees concerned under health and safety law – as informing employees in this way will encourage them to take even greater care when complying with the safety measures the employer has implemented in the workplace. As for appropriate safeguards, the employer should ensure it has an ‘appropriate policy document’ in place and that this document is drafted broadly enough to encompass this type of processing.
It is also important to note that guidance from the Information Commissioner's Office (ICO) states that while employers should keep staff informed of confirmed or suspected cases of Covid-19 in the workplace, they should avoid naming individuals if possible and shouldn’t provide more information than necessary. So the employer can say that there are cases of (confirmed or suspected) Covid-19 within the workplace, but should be cautious about giving further details.
Informing the authorities about confirmed or suspected Covid-19 cases
As explained above, employers are expected to inform their local Health Protection Team if there is more than one case of Covid-19 associated with a workplace and we are aware of some companies receiving letters from their local authority telling them that, as well as details of any confirmed cases, they must also share details of any suspected cases. This is said to be in order to facilitate contact tracing under the NHS Test and Trace service.
Is the request genuine?
As a preliminary point, it is worth noting that any employer that receives a request for such disclosure should take steps to ensure that it is a genuine request from the local authority. They could, for example, get in touch with the authority using the contact details on its website to double check that it has indeed been sending out such requests.
Have you conducted a DPIA?
An employer faced with such a request should also consider first conducting a DPIA to identify any risks associated with disclosing the data and ways to mitigate those risks. For example, the risk of the data falling into the wrong hands could potentially be mitigated by transferring it to the authority in encrypted form or with password protection. Although a DPIA is not necessarily mandatory in these circumstances, the ICO’s guidance does recommend that employers consider one if they plan to carry out processing of “sensitive data or data of a highly personal nature”.
What are the legal grounds for disclosure?
With regard to the appropriate legal grounds for disclosure of data to the authority, the employer’s ordinary legal ground for disclosing such information to staff could be that this is necessary in its legitimate interest (namely, its interest in cooperating with the public authorities in their management of the pandemic) – and the employer could confirm its thought processes around this by conducting a Legitimate Interests Assessment (LIA) to balance its interests against any competing interests of the employees concerned. LIAs are recommended by the ICO as part of their accountability framework.
The employer’s special category legal ground could be that the processing is necessary to comply with a legal obligation in relation to employment and appropriate safeguards are in place. Here, the applicable legal obligation would be the employer’s duties to all its employees under health and safety law – since the authorities will use the data for contact tracing under the Test and Trace service, and it is that service that would be contacting other employees if it turns out that any of them have to self-isolate as close contacts of an employee who has tested positive for the virus.
This may perhaps sound a little tenuous, but Covid-19 is throwing up a lot of issues from a data protection perspective that companies would probably never have envisaged having to deal with before. The ICO’s guidance on Covid-19 testing and data sharing is reassuring in this regard, as it states that the ‘legal obligation in relation to employment’ legal ground is likely to “cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data”.
As an alternative, it might be possible for an employer to justify the disclosure of confirmed or suspected Covid-19 cases to the authority under the “public health” legal ground for processing special category data. This legal ground can only apply where the processing (i.e. the disclosure) is carried out by or under the responsibility of a health professional, or by someone else who owes a legal duty of confidentiality to the employee. It may be arguable that the employer’s duty of trust and confidence to the employee could satisfy the requirement for a legal duty of confidentiality, although there is no official guidance on this point. The ICO’s guidance on the “public health” legal ground notes that this condition may be appropriate where processing is necessary for (among other things) responding to new threats to public health such as epidemics or pandemics.
Have you informed employees that their data is being shared?
Finally, from a transparency perspective, employers that have been asked to disclose details of confirmed or suspected Covid-19 cases amongst their workforce to the authority should inform the employees concerned – ideally before they make the disclosure. They should identify what data they will be disclosing and the purpose and legal grounds for doing so. Most employers should be able to refer employees back to their general employee privacy notice for other key information such as the employees’ individual rights in relation to their personal data.
How we can help
Our legal and health & safety experts have produced an easy to follow five step guide to managing a Covid-19 outbreak in your workplace.
The Coronavirus FAQs on our website are updated regularly and provide detailed guidance on a wide variety of issues relating to Covid-19, including whether employers can require employees to undergo tests for Covid-19 and establish their own internal contact tracing systems (see questions 5 and 5(a) of the ‘Health and safety measures’ FAQs) and associated data protection issues (see the FAQs on ‘Data protection during the pandemic').
Make UK members can access further advice and guidance on GDPR compliance in the HR & Legal Resources section of our website. If you are a Make UK member, you can also contact your adviser with any queries you wish to discuss. Alternatively, non-members are welcome to call us on 0808 168 5874, or email [email protected].
We are in the process of developing GDPR refresher training, which will be available to be delivered virtually via an interactive e-learning programme in early 2021. If you would like further information about this training, please email [email protected] to register your interest.