Dealing with employee personal data as we return to work

We have looked at the data protection challenges presented by home working and the increased use of video calls, messaging apps and other online platforms and as we now begin to emerge from lockdown and workplaces start to re-open, we look at the fresh challenges this presents for employers.

The ‘new normal’ might, for instance, lead us to process employee data in new and unprecedented ways. The government guidance on returning to work (which applies in England) requires all employers to carry out a risk assessment in accordance with HSE guidance. The HSE publication “Working safely during the coronavirus outbreak – a short guide” provides that employers must consider those who are at higher risk, including those who are shielding or living with someone who is shielding. Employers also have a statutory duty to risk assess pregnant workers and other workers who do not fall into the shielding category may nevertheless have health conditions which place them at greater risk of Covid-19.

Different guidance applies in Wales and workers should only go into work when it is not reasonably practicable for them to work from home. The guidance makes it clear that where home working is not possible, risk assessments must be carried out and the Welsh government has also introduced a statutory duty on employers to take all reasonable measures to maintain workplace distancing of two metres or more. The Welsh government has also published guidance for employers on its Test, Trace, Protect strategy which sets out the role which employers are expected to play in facilitating the testing of workers with symptoms.

Some employers may also want to arrange for testing to be carried out themselves in order to ensure that any cases within their workforce are quickly identified in order to prevent a major outbreak that may force the closure of the workplace. The ICO has issued guidance on this in Workplace testing – guidance for employers.

This inevitably means that employers will be processing more special category data than was previously the case. This will predominantly consist of health data, but as health professionals gain a greater understanding of the interaction between Covid-19 and demography, other types of data may also be collected. For example, it is already well established that age and gender play a role and that the BAME people are also at greater risk from the disease.

In Wales, workers in the health and social care sector also have access to a workforce risk assessment tool which asks a number of questions about factors such as age, health, weight and ethnicity which may increase the risk of serious illness following an infection with Covid-19. Once completed, it is intended that workers should discuss the outcome with their line managers and occupational health department, so that employers in these sectors are particularly likely to hold special category information.

What does this mean for employers? Under GDPR and the Data Protection Act (DPA) 2018, it is lawful for employers to process special category information, provided they can identify a lawful basis for processing and are also able to satisfy an Article 9(2) condition. In most cases, employers with be able to rely on “legitimate interests” as their lawful basis for processing data in relation to Covid-19.

As employers will be processing data to protect the health, safety and welfare of employees the relevant Article 9(2) condition is likely to be the employment condition contained in Article 9(2)(b) of the GDPR taken in conjunction with the legal authorisation contained in Schedule 1 condition 1 of the DPA 2018 which includes processing for health and safety reasons.

However, it is not enough for employers to be able to demonstrate that the processing of this data is lawful. Employers should also consider the following steps:

• Ensuring that they have an appropriate policy document in place – this should outline the compliance measures and retention policies that apply to special category data
• Ensuring that privacy notices have been updated to cover this type of data and processing – this might well not have been envisaged when the notice was drafted
• Restricting the number of staff who have access to this type of information and ensuring that they have received adequate training on safeguarding its confidentiality and security
• Reviewing their security measures to ensure both the physical and cyber security of this information and reminding staff of the importance of following the relevant policies
• If employers intend to carry out any workplace testing then they should undertake a Data Protection Impact Assessment (DPIA). The ICO recommends that a DPIA is carried out in its guidance Workplace testing – guidance for employers 
• Remembering that this kind of data should be adequate, relevant and limited to what is necessary – employers should resist the temptation to collect more data than is necessary or to hold on to it for longer than necessary.

It is always best practice for employers to communicate with their employees in plain language to explain what they are doing and why. Whilst employers need to ensure that their documentation is up to date, in practice employees are more likely to cooperate if employers also explain that information is being gathered in order to protect their safety and that of their colleagues.

The ICO recognises that organisations face many burdens at this time and has previously made it clear that they will take a proportionate approach to regulatory action during the pandemic. However, this does not mean that they will disregard flagrant breaches and in particular, they will expect that employers entrusted with very sensitive employee information will take reasonable steps to ensure the security of that information.