Covid-19 and its spread across borders is a concern for employers and employees alike. While employers will be anxious to ensure the safety and health of their employees, measures intended to ensure a safe working environment can increase processing of employee personal data. In response to concerns, the Data Protection Commission (DPC) has recently issued guidance about data protection issues and Covid-19. This guidance highlights the importance of taking decisions about personal data (particularly health data) which are necessary, proportionate and informed by directions of public health authorities.
We have set out four key points below for employers to consider when processing employee data in this context.
1. Contact Information
In order to keep employees informed about workplace opening arrangements, employers may wish to use personal contact information for employees, e.g. personal mobile numbers. Employers should consider whether they have a legal basis under Article 6 of the GDPR for processing of this data. Additionally, employers should keep their employee data protection/ privacy notice in mind. This notice should refer to the possible uses of personal contact information for employees.
2. Health Data
Monitoring the coronavirus situation may mean employers are processing more health data relating to employees and other individuals, such as suppliers or other visitors to premises, than usual. There are two main points to bear in mind here.
- Employers should have regard to article 9 of the GDPR. Whether employers are seeking health data from an individual, e.g. by asking whether they are part of an ‘at risk’ group, or information about symptoms, article 9 provides that special category data, which includes health data, should not generally be processed, except in a limited number of situations, which are listed in article 9(2). In order for an employer to use the health data provided to them, that use will need to fall within an exception listed in article 9(2) (as well as having a legal basis for processing under Article 6). While the DPC’s recent guidance indicates that Article 9(2)(b) (processing necessary for compliance with obligations as an employer) and 9(2)(i) (processing necessary for reasons of public interest in the area of public health) are likely to be relevant to employers, the appropriate Article 9(2) basis will vary depending on circumstances.
- Employers should not begin using health data they already hold for a new purpose without considering data protection implications. For example, employers may hold sick notes for the purposes of administering employee sick pay. Using these sick notes for a new purpose, e.g. to check for history of respiratory illness, could cause data protection issues for an employer.
Employers have a balance to strike in terms of employee confidentiality. An employee’s identity can be withheld in certain contexts, e.g. in internal announcements to the company as a whole, which is the approach recommended by the DPC. In other contexts, however, the employer will have to balance confidentiality against their duty of care to other employees, who may need more specific information to safeguard their health. Where an employer is protecting employee confidentiality, it is significant that any processing it carries out ensures security of the data, a point that is emphasised in the DPC’s guidance.
A final point to consider is retention of data relating to Covid-19 and individuals. Many employers will have gathered (or currently be gathering) not only health information about employees and other individuals, but information about recent and upcoming employee travel plans. Employers should consider how long this type of data should be retained. As highlighted by the DPC in its recent guidance, transparency in interactions with individuals on purpose and retention of data is importance for data protection compliance.