- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
March DPO Day
March 6, 2020
Interview with Rob Masson, CEO of The DPO Centre
April 7, 2020
In light of the ongoing Coronavirus (Covid-19) pandemic the ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). has released guidance on data protection requirements affecting controllers of personal information.
As more Coronavirus cases are detected, employers will need to monitor the impact of the outbreak and take steps to protect their employees where necessary.
The most important thing to know is that data protection will not stand in the way of businesses protecting the health and safety of their employees. This means that organisations are allowed to share information to fulfil their legal obligations to relevant authorities and for safeguarding employees, however this should be proportionate to the risk and needs to be carefully assessed on an ongoing basis.
You may ask your employees if they, their family or close friends have travelled to an affected region or whether they have a particular health condition that may make them more vulnerable to the virus, or indeed if they have symptoms or have contracted the virus.
Under EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. (GDPR), personal data concerning health is “special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal...”. This means that employers need to ensure that any communication does not include any data about the individual who may be absent, including their symptoms.
In all cases there should be a careful assessment of whether any information released would serve to “single-out” and identify certain employees. In instances where there is a confirmed case of the virus within the workforce it is highly advisable to consider measures to avoid mentioning any individuals and their related health issues.
It is for the business to decide what steps are taken to ensure the safety of employees. Each business should consider the need for suitable assessments of any people that may have come into contact with the affected person rather than sending blanket communications.
With remote working on the increase, and offices opting to shut down, there is a real risk that people that normally work in an office will be accessing business accounts (such as emails/files/software etc) from their own personal laptops/devices. If they are not normally required to use their devices, they are likely to be shared and/or security is not up to the standard the organisation might expect, implementing or refreshing your Email and IT usage policy as well as your Bring Your Own Device (“BYOD”) policy should be considered. A BYOD policy normally covers the requirements on employees and the security standards for them and their devices that they are expected to follow. All employees should be made aware of the BYOD policy and to confirm it is understood and will be followed.
For more information you can read the ICO guidance, the latest NHS guidance, and as always feel free to contact us about your data protection enquiries.