Covid-19 and Data Protection

Can I monitor my staff for COVID – 19 symptoms?

With Boris Johnson issuing new guidance that some of us can now return to work, this raises serious concerns on how employers can prevent the spread of the coronavirus once their staff are back in the office/on the shop floor etc. 

If you are an employer, you will already know that all employers have a duty to keep their employees safe. So, what measures do companies need to implement in addition to the two-metre social distancing rule? Should organisations insist that their staff have their temperature taken every day? Whilst on the face of it, this might seem like a good idea, before you whip out the thermometers, pause for a moment to consider the data protection implications. 

Information about health, including taking someone’s temperature, is classed as ‘special category personal data’ under the GDPR. This means that stricter rules apply compared to the rules on ‘regular’ personal data, which we are all used to dealing with, such as name and address. 

If your plan to keep your workforce safe from COVID-19, is to:

• take the temperature of every employee as they arrive for work

and/or

• collect other information about their health and send them home if you believe they present a risk

How can you do this without breaching the data protection legislation?

See below for a list of what needs to be considered. 

What needs to be considered?

Is it legal?

In order to keep on the right side of the data protection law when collecting health data from your employees, you need to ensure that you adhere to the requirements of the GDPR and the Data Protection Act 2018 (DPA 2018) and follow the guidance from the ICO. 

How will you comply with the GDPR?

The GDPR sets out the law on data protection and the privacy rights of individuals. Before embarking on a new system of collecting health data from your employees, you need to ensure that your new procedures will comply. The best way to address this is by completing a Data Protection Impact Assessment (DPIA).    

Do you need a Data Protection Impact Assessment (DPIA)?

Before introducing any changes that involve collecting health data from your employees, you will need to carry out a DPIA. By the end of this process, you should be clear on what measures you can legally introduce under the GDPR.

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a legal requirement (under Article 35 of the GDPR) in any situation whereby the processing is likely to result in a ‘high risk to the rights and freedoms’ of individuals. Collecting information about the health of your staff is seen as high risk, and require a DPIA. 

What’s the point of a Data Protection Impact Assessment (DPIA)?

The DPIA process will help you to assess the risks involved and clarify whether your plans to collect health information are justified, relevant and proportionate or whether you could achieve the same result in a less intrusive way, such as simply asking staff to self-isolate if they have symptoms of coronavirus. 

The DPIA process will aid understanding of how you can adhere to the data protection principles, including how to ensure that the information you collect is adequate, relevant and limited to what is necessary. For example, how you can ensure that you don’t collect excessive information and only collect what you need for the purpose. 

In addition to this, and very importantly, the DPIA will help you identify what your legal basis is for processing personal information. You must always have a valid legal basis, otherwise you will be in breach of the GDPR. One of the legal bases is consent. Do you need consent? 

If consent is not appropriate, which of the legal bases should you rely on? For example, is legitimate interests more suitable? What does legitimate interests mean? If you decide to rely on legitimate interests, you will need to do a legitimate interests assessment (LIA). 

Once you have identified which legal basis to rely on, your DPIA will help you satisfy a condition under Article 9 of the GDPR. This is required because you will be processing health information. Bear in mind that you may also need to refer to the Data Protection Act 2018 (DPA 2018).

The DPIA process will also help you assess how you will be able to address the information rights of your staff in relation to data protection. For example, one of those rights is the right to be informed. This means that you have to be open and transparent with what you are intending to do with the personal information you collect from your staff. The clearest way to do this is to provide your staff with a GDPR compliant Employee Privacy Notice.  What needs to be included in an Employee Privacy Notice? 

A DPIA will also cover other important considerations such as whether you should conduct a consultation on your proposed plans, how long you should keep the information, who you should share it with, how you should keep it secure and it should help you comply with the accountability principle. 

Top tip from the ICO regarding your lawful basis 

The Information Commissioner’s Office (ICO) suggests that private organisations may wish to rely on ‘legitimate interests’ under Article 6 of the GDPR as their lawful basis for collecting health information from staff, together with ‘obligations and rights relating to employment’ under Article 9 (2) b of the GDPR and Schedule 1 condition 1 of the DPA 2018.

Information Commissioner’s Office

Here at DPAS we are offering a free DPIA template, together with a free DPIA Policy and Procedure in order to help you comply with the GDPR, enabling you to focus on ensuring your workforce stay safe and well and you can all get back to business! 

Free templates for you to use!

Should you need any additional guidance, advice or support do not hesitate to contact us on 01392 914019 or at info@dataprivacyadvisory.com

These are the further explanations of items mentioned above. 

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special category personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

What are the data protection principles?

The data protection principles are set out within Article 5 of the GDPR and state:

• processed lawfully, fairly, and in a transparent manner

• collected for specified, explicit, and legitimate purposes

• adequate, relevant, and limited to what is necessary

• accurate and, where necessary, kept up to date; 

• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed 

• processed in a manner that ensures appropriate security of the personal data

Please note that the above list is a brief version of the data protection principles. It does not set them in full.

What are the legal bases?

In order to process personal data, you must have a legal basis. There are six different legal bases set out in Article 6 of the GDPR. In a nutshell the legal bases are:

1. consent
2. contract
3. legal obligation
4. vital interests
5. public task
6. legitimate interests

Please note that the above list is a brief version of the legal bases. It does not set them in full.

Do you need consent?

Should you simply obtain consent from each member of staff to take their temperature? This might seem like an easy option but, under the GDPR this is unlikely to be regarded as valid consent due to the imbalance of power between an employee and an employer. In any event, how effective would it be, if some staff members consented and others declined? The staff who refused the temperature check might be infected and could be spreading the disease within the workplace, despite your efforts to prevent this.

If consent is not the answer, then what is? You will need to rely one of the other legal bases. 

Which legal basis should you rely on?

The most appropriate legal basis for private organisations to rely on when processing personal data is legitimate interests. This is because it is in the legitimate interests of your business to process the personal data and these interests are not overridden by the interests of the employees. However, an organisation should carry out a Legitimate Interests Assessment (LIA) in order to clarify that this is the correct legal bases for them. 

Do you need to do a Legitimate Interests Assessment (LIA)?

If you are proposing to use legitimate interests as your legal basis for processing personal data, you will need to prepare a LIA in order to demonstrate that this is the correct legal basis for your situation. 

What is a Legitimate Interests Assessment (LIA)?

A LIA is the most flexible lawful basis and in order to use it, you need to conduct a three-part test:

1. What is your purpose (ie: what are you trying to achieve?)
2. Is it necessary? (Is this processing proportionate to what you want to achieve or is there a less privacy intrusive way of achieving your purpose?)
3. Balancing test – you need to balance your interests against the interests of the individual. Will your proposed actions cause any unwarranted harm to the individuals?

Article 9 of the GDPR

In addition to the above, in order to process data about health (special category personal data), you must also satisfy a condition under Article 9 of the GDPR. These conditions relate to:

1. explicit consent
2. obligations and rights in the field of employment, social security and social protection law
3. vital interests
4. legitimate interests of a not-for-profit organisation
5. manifestly made public by the data subject
6. necessary for the establishment, exercise or defence of legal claims
7. substantial public interest
8. preventative occupational medicine
9. public interest in the area of public health
10. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Further conditions are set out in the Data Protection Act 2018 (DPA 2018)

Please note that the above list is a brief version of the conditions. It does not set them in full.

Data Protection Act 2018 (DPA 2018)

The DPA 2018 covers things that are not covered under the GDPR such as the ICO’s powers and enforcement. It also covers exemptions and extra conditions for processing special category personal data.  

What are the information rights of the employees?

Under the GDPR, individuals (data subjects) have been given a number of information rights which include those set out below. The right to be informed is extremely important if you are proposing to collect health information from your staff. Data subjects have a right to:

1. be informed 
2. access
3. rectification
4. erasure
5. restriction
6. data portability
7. objection
8. not be subject to automated decision-making

Please note that the above list is a brief version of the rights given to individuals. It does not set them in full.

What is the right to be informed?

The right to be informed means that organisations need to be open and transparent with individuals in relation to what they are doing with their personal information in order that they are fully aware of how their personal data is being used. Therefore, if you wish to take the temperature of each member of staff, you need to tell them about this beforehand. This can be done by way of an Employee Privacy Notice.

What is an Employee Privacy Notice?

An Employee Privacy Notice is a document issued to a member of staff by the employer explaining what personal information they will collect, store and process about them. The Privacy Notice also needs to explain why the employer needs this information, what they will do with it, who they will share it with and how long they will keep it. The Privacy Notice must also set out all their rights and other supplemental information. (See Article 13 of the GDPR). 

Have you issued your staff with an Employee Privacy Notice and if so, does it cover this kind of situation? The chances are, your existing Employee Privacy Notice will need to be updated to include these particular circumstances. 

If a new Privacy Notice needs to be issued, staff need to be made aware of it and the changes need to be clearly explained to them, so it’s a good idea to arrange meetings for this and send out emails enclosing the new document.  

What needs to be included in an Employee Privacy Notice?

An Employee Privacy Notice needs to clearly set out exactly what information you wish to collect, why you want to collect it, what you intend to do with it, who you will share it with and how long you will keep it. The Privacy Notice must also set out all their rights and other supplemental information. (See Article 13 of the GDPR).

The accountability principle? The accountability principle is new under the GDPR and means that controllers need to, not only comply with the GDPR, but prove that they comply by having in place the necessary documentation to evidence their compliance. For example, by creating and retaining DPIAs, LIAs and Privacy Notices etc