Covid-19 and Data Protection – FAQs for Employers
20th April 2020 by Charlotte Mitchell
Please find following FAQs which explain business compliance to data protection regulations during Covid-19.
Do I need to inform employees if one of their colleagues contracts Covid 19?
Whilst an Employer has a duty of care to its employees to notify them of the infection risk as soon as possible, the Information Commissioner’s Office (ICO) has confirmed that an Employer should avoid wherever possible identifying the individual concerned and should not provide any more information than absolutely necessary concerning that individual. This is particularly important given that information about an employees’ health is a “special category of personal data” which means it can only be processed by the Employer in defined and limited circumstances. The best way of proceeding will usually be for an Employer to simply notify its employees that an employee who has been in the workplace has been infected and that appropriate precautions must be taken. This would include being extra diligent with washing hands, using any cleaning products provided such disinfectant wipes, hand sanitiser, etc. to regularly disinfect shared work spaces.
If you would like any advice or assistance in terms of the form and content of any such notice, we would be happy to help.
Can I collect health data in relation to Covid-19 about employees or from visitors to my organisation?
You have an obligation to protect your employees’ health, but you should not gather unnecessary information about them and where you do collect information about employees you should do so with appropriate safeguards in place.
The ICO has confirmed though that it is reasonable to ask people (to include both employees and visitors) to tell you if they are experiencing Covid-19 symptoms.
You could also ask visitors to consider government advice before they decide to come.
What if the Public health authority asks me to share Covid-19 health information for public health purposes?
The ICO has confirmed that data protection law will not prevent you from doing this provided that it is absolutely necessary.
Should my business put in place data sharing measures for self-isolating employees or workers who are having to work from home?
As Employers up and down the country are having to adapt to new working practices, with large numbers of employees working from home, it is imperative that Employers have safety mechanisms in place to ensure that data protection breaches do not take place but in the event that they do, they are made aware of them immediately.
Employers are advised to review their current networks, data protection policies and how they share data to ensure that they are protected.
The ICO recommends undertaking a data protection impact assessment to help an Employer understand the full data processing activities undertaken by its employees and any other third parties so as to flag up any potential risk area(s). Click here for an example template of a Data Protection Impact Assessment as provided by the ICO.
Other recommended steps might be to ensure that you are clear that your data protection policy for employees covers remote working and the problems that may arise by this and to ensure that homeworking policies are also reviewed so that the necessary requirements about processing data remotely are addressed. There are of course a number of technical/IT/security measures which Employers can adopt, which are all vital in limiting an Employer’s exposure to data protection breaches.
If you have any concerns about ensuring your business is complying with data protection regulations during the pandemic please contact Charlotte Mitchell from Laceys Corporate and Commercial team who will be more than happy to help.