In light of the ongoing Coronavirus (Covid-19) pandemic the ICO has released guidance on data protection requirements affecting controllers of personal information.
As more Coronavirus cases are detected, employers will need to monitor the impact of the outbreak and take steps to protect their employees where necessary.
The most important thing to know is that data protection will not stand in the way of businesses protecting the health and safety of their employees. This means that organisations are allowed to share information to fulfil their legal obligations to relevant authorities and for safeguarding employees, however this should be proportionate to the risk and needs to be carefully assessed on an ongoing basis.
You may ask your employees if they, their family or close friends have travelled to an affected region or whether they have a particular health condition that may make them more vulnerable to the virus, or indeed if they have symptoms or have contracted the virus.
Under EU data protection law (GDPR), personal data concerning health is “special category data”. This means that employers need to ensure that any communication does not include any data about the individual who may be absent, including their symptoms.
In all cases there should be a careful assessment of whether any information released would serve to “single-out” and identify certain employees. In instances where there is a confirmed case of the virus within the workforce it is highly advisable to consider measures to avoid mentioning any individuals and their related health issues.
It is for the business to decide what steps are taken to ensure the safety of employees. Each business should consider the need for suitable assessments of any people that may have come into contact with the affected person rather than sending blanket communications.
With remote working on the increase, and offices opting to shut down, there is a real risk that people that normally work in an office will be accessing business accounts (such as emails/files/software etc) from their own personal laptops/devices. If they are not normally required to use their devices, they are likely to be shared and/or security is not up to the standard the organisation might expect, implementing or refreshing your Email and IT usage policy as well as your Bring Your Own Device (“BYOD”) policy should be considered. A BYOD policy normally covers the requirements on employees and the security standards for them and their devices that they are expected to follow. All employees should be made aware of the BYOD policy and to confirm it is understood and will be followed.