Home
Internal
published on 7 May 2020 | reading time approx. 3 minutes
Following the outbreak of covid-19 and its development into a global pandemic, many businesses have had to resort to taking exceptional measures to ensure that their employees, customers and business is protected against the threat of coronavirus and to ensure that as far as possible, it is “business as usual”. We anticipate that there are a few issues for organisations to take into consideration in these unprecedented time from the perspective of the data protection regime.
In order to manage the impact of the outbreak and to limit exposure, organisations may be collecting information from employees that are exceptional and unusual. This may include “contact lists,” a list of symptoms, if any, information about vulnerable members in the family home, and information on self-isolation. This is likely to be “personal data” and “special categories of personal data” (“SCD”) under the General Data Protection Regulations (“GDPR”) and is subject to strict obligations in terms of compliance.
The Information Commissioner’s Office (“ICO”), the UK’s data protection watchdog, has confirmed that it will not bring regulatory action against organisations worried about reduced standards of data protection practices and longer response times to information rights requests. The ICO will use their own communication channels to inform people about potential delays when making information rights requests during the pandemic.
Informing employees (or others) about the identity of any specific employee who is confirmed to have covid-19 would involve disclosing SCD, and so has the potential to both be unlawful from a data privacy point of view and potentially from an employment law perspective (since it may carry stigma, embarrassment, etc.) It will generally not be necessary to disclose an individual’s identity, even while implementing measures prevent spread of the virus, including to high-risk individuals. Businesses must perform a balancing act to protect both the identity of the infected individual’s identity and other employees in the organisation. An impact assessment may be necessary to record how each organisation will approach the issue of the identity of infected persons. This is also consistent with ICO guidance.
It is important to note that collecting data to help stem the spread of covid-19 may be in the broader public interest, but it does not evaporate privacy and data security concerns. Data protection authorities across the EU have generally agreed that it is permissible to ask employees whether they’ve been infected, whether they’ve recently visited high-risk areas or whether they’ve been in contact with or exposed to people infected with the virus. However, organisations must also consider how long to store the data they collect, who has access to that data and how long it will be retained.
It is unclear when the outbreak will truly start to resolve, but once it does, businesses must have an action plan for what they intend to do with the data they have collected. The general practice is to properly dispose of data when it is no longer required. Indeed, the GDPR encourages organisations to delete data when no longer needed, and data deletion is also one of the individual rights under the law.
The ICO has advised that the data protection regime is not to be a barrier to different types of homeworking. With many organisations encouraging and now mandating individuals to work remotely, it is now a good time for reviewing and updating remote working policies, and to remind employees of the requirements of these policies. In general, data protection law does not prevent the use of employees’ personal devices or communication equipment for seamless WFH but organisations will need to consider the same kinds of security measures for WFH that would be used in normal circumstances.
Coronavirus: What you need to know
Jan Eberhardt
Partner
Send inquiry
