Data Protection – returning to work during COVID-19
With more businesses set to return to work from 4th July, employers are asking whether they are allowed under data protection legislation to ask employees about their health.
Under data protection legislation, health data is ‘special category data’ and is afforded additional protections.
The Information Commissioner, Elizabeth Denham has said “Data protection does not stop you asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law – transparency, fairness and proportionality – are applied”.
In order to assist businesses, the Information Commissioner’s Office (ICO) has published 6 key data protection steps concerning this use of health information:
- Only collect what is necessary
The key here is being able to demonstrate that what you have done is reasonable, fair and proportionate. Do you need the information in order to keep your employees safe? Could you achieve the same result without collecting personal information?
2. Keep it to a minimum
If you don’t need data don’t collect it. Only keep it for as long as necessary – which could be a very short time. Only collect what you need to implement your protective measures appropriately and effectively.
3. Be clear, open and honest with staff about their data
Notify staff about the data you will be using and what the implications for them may be. It may impact on whether staff can work or not, so you need to be open and up front about this. You should also tell staff how long you will holding the data for and if you intend to share it with any other parties.
4. Treat people fairly
Where you make decisions about people based on health information you must do it fairly. Consider the detriment they may suffer and make sure the way you use the information does not result in any form of discrimination
5. Keep information secure
Information may be collected by various people within the organisation. It needs to be stored securely and only kept for as long as necessary.
6. Staff must be able to exercise their information rights
This remains key to data protection and applies to any health information collected as a result of the COVID-19 pandemic. Organisations need to inform staff about the rights they have and how to exercise them and how to raise any concerns.
If your new return to work safety measures do not include testing staff or checking symptoms, you also need to follow these additional steps:
7. Identify a lawful basis for collecting and using the data
(This needs to be assessed for each organisation but may be ‘public task’ for public authorities or ‘legitimate interest’ for other organisations). As health data is special category data you also need an additional reason, which is likely to be the ’employment’ ground.
8. Carry out a data protection impact assessment if health data is processed on a large scale.
Please note that whilst staff can be encouraged to engage in symptom checking or testing procedures, making these mandatory needs to be considered in the light of employment law generally and their contract. The above steps apply to information that is legitimately collected. If you need further advice on what is allowed then please get in touch, we can help.