GDPR Compliance In The Face Of Coronavirus
GDPR regulations have not been suspended because of Covid. Coronavirus has changed so much of life as we know it. Over the last five months and as we now emerge from lockdown, we are all entering a ‘new normal.’ Systems being put in place, such as track and trace and workplace monitoring, are raising questions about privacy and of course GDPR. What information can an employer ask for? How should it be stored? And for how long?
Can employers ask staff/visitors about Covid-19 symptoms or a diagnosis?
The Information Commissioner’s Office (ICO) guidance confirms that businesses can ask about Covid-19 symptoms where there is good reason to do so. In the current climate, this is likely to fall squarely into the bracket of protecting the health and safety of others.
However, it is important to be aware that only the minimum amount of data should be collected and retained for the purpose identified and used only in a way that is necessary and relevant.
As always, this data must be kept secure and confidential. And where a member of staff provides information about their health, this will amount to special category personal data (previously known as ‘sensitive personal data’), attracting a higher level of protection.
As some workplaces are beginning to reopen, employers are asking employees to complete Covid-specific return to work questionnaires that ask, for example, for confirmation of any symptoms within the previous 14 days or any confirmed diagnosis. They may also ask for similar information in relation to others within their household (which, again, may amount to special category data if the individual is identifiable).
Can employers take temperature readings from employees?
Yes, if strictly necessary. Data protection law does not prevent companies from taking necessary steps to keep staff and the public safe. However, employers should consider less intrusive means of monitoring and use those where appropriate.
In this context, how can a business ensure compliance with data protection principles?
Employers should carry out a data protection impact assessment (DPIS) and be able to demonstrate that thought has been given to why intrusive means of monitoring the health of staff have been chosen.
To ensure compliance with the principle of accuracy, businesses will need to be mindful of any limitations regarding the equipment used and carefully date all temperature check results, as they will quickly become out of date as an individual’s health changes over time. The need for the information to be retained should be regularly reassessed with secure deletions undertaken.
Can employers keep a record of staff diagnosed with the virus and can they inform other colleagues about the diagnosis?
Yes. However, there are some provisos. The ICO has flagged concerns about the potential misuse of this kind of information, and employers must be careful not to use details of an individual’s symptoms or diagnosis for any purpose that the member of staff concerned might not reasonably expect.
Employees should be kept informed about cases within the organisation, but employers should consider whether this can be done without identifying a particular individual. There must be a balance between a company’s duty of confidentiality and data protection obligations and its duty of care on the health and safety of staff. Certainly, a blanket approach should not be adopted.