Complying with GDPR in the face of increased collection of employees’ health data

What should I be considering?

Many businesses have processed or will be processing ‘new’ types of personal data, such as:

• employee self-isolation details
• body temperatures of employees and visitors to business premises
• location data of employees.

For the purposes of the GDPR, the above types of personal data are likely to fall within ‘special categories of personal data’ because of their relevance to health, and therefore will have to be dealt with differently. The GDPR also focusses on data minimisation and requires businesses to only collect as much personal data as is “strictly necessary”.

Do I need an alternative legal basis for processing such personal data?

Yes. Although businesses can rely on the usual legal bases for processing such data, i.e;

• legitimate interests
• contractual necessity (to ensure the health, safety and well-being of their employees)
• legal obligation (i.e collecting data in order to comply with new coronavirus laws),

it is likely that they will also need to satisfy a further condition, given the specific health related personal data.

One of these conditions is the collection of data for ‘public heath’ reasons. This would be relevant if a business is acting on the advice of public medical advisors in relation to Covid-19, which will be commonplace.

Practically, what can I be doing?

• Review and update your privacy notices to reflect such new changes in the collection of data from employees.
• Review and update your remote working policies and remind your employees of data security and confidentiality.
• Conduct a data protection impact assessment (if not already done so) because the GDPR requires an impact assessment to be undertaken for any data processing which is “likely to result in a high risk to individuals.“