“Man is a creature that can get used to anything” – Fyodor Dostoevsky.
As we grow accustomed to living with Covid-19, we are witnessing a return to pre-pandemic life: we can drink pints, run on a treadmill, and return our long overdue books to the library. Some employers have even begun the processA series of actions or steps taken in order to achieve a particular end. of re-populating those unfamiliar places we once referred to as offices.
However, this re-population is being controlled by a caution on the part of employers who do not wish to risk transforming their offices into viral paradises.
Employers have been marking floors, providing sanitiser for staff, and handing out face masks like sweets. However, more extreme measures are also being taken: temperature checks, antibody testing, health screening questionnaires and swab tests have all become part of the employer’s arsenal in the fight against Covid-19 in the workplace.
Data Concerning Health
These latter measures can all be used to identify the health status of an individual employee and/or visitor. This is where employers must tread carefully: an attempt to ensure a safe working environment could unintentionally result in a violation of an individual’s right to privacy. Under data protection legislation, data concerning an individual’s health is classified as a ‘special category’ of personal dataInformation which relates to an identified or identifiable natural person. .
The mishandling of such data poses a threat to the rights and freedoms of an individual; such a threat, in fact, that the processing of such data is generally prohibited. Luckily for employers there are certain conditions that can be relied upon to make this processing permissible (on the condition that you also have a lawful basis for processing).
As an illustration, but not a definitive list, the table below contains the lawful bases and conditions for processing that might apply depending on your situation. As an employer, you should select the most applicable, and document the selection.
Article | Lawful Basis | Condition for Processing |
Article 6.1.c | Processing is necessary for compliance with a legal obligation to which the controller is subject | |
Article 6.2.d | Processing is necessary in order to protect the vital interests of the data subjectAn individual who can be identified or is identifiable from data. or another natural person | |
Article 6.2.e | Processing is necessary for the performance of a task carried out in the public interest | |
Article 9.2.b | Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of a controller in the field of employment law | |
Article 9.2.c | Processing is necessary to protect the vital interests of the data subject or another natural person | |
Article 9.2.i | Processing is necessary for reasons of public interest in the area of public health |
GDPR Compliant Processing
Having successfully identified the lawful basis and condition for processing the health data of employees, an employer could be forgiven for thinking that they have complied with the GDPR. Not so, as there’s still work to be done.
The ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. would not be forgiving of any employer that has failed to adhere to the principles of processing personal data, especially when the processing involves special categories of personal data.
Every employer should take a long hard look in the mirror and ask themselves the questions in the table below. This will aid understanding as to whether they are processing personal data in a GDPR compliant manner.
Principle | Questions |
Transparency | What information have you provided to employees about your Covid-19-specific processing activities?
Do employees understand how their data will be used, shared (if relevant), and retained? |
Purpose LimitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected. | Have you limited access to the data?
Do your policies limit use of the data to the purposes of collection? Do you have rules for sharing test results internally? Do you have rules for sharing the test results with externally? |
Data MinimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing. & Storage LimitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed. | Is the data recorded, stored, shared, or otherwise processed necessary to fulfil the intended purposes?
Are you subject to any legal requirements to retain the data? Do you have a data deletion schedule? and have you added Covid-19 data to it? |
Confidentiality | Is the data anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR.? pseudonymised? encrypted?
Are there strict security measures and confidentiality policies in place? Is the data stored securely, separately, and with access controlsA series of measures (either technical or physical) which allow personal data to be accessed on a need-to-know basis.? |
Conclusion
While behaviours and attitudes have been altered by Covid-19; we’re all happy to give our personal details to a publican in exchange for a pint; we’re all complying with requirements to don protective masks while we shop; we’re all obeying our employers’ demands for our health data, we should not wantonly abandon the right to data protection.
Employers owe a duty to their employees: a duty to ensure that when they process the health data of their employees, they do so in a GDPR compliant manner. At the very least this means identifying and recording a lawful basis, a condition for processing, and adhering to the principles of processing personal data.
Fill in your details below and we’ll get back to you as soon as possible