As a business with employees and customers you may be considering steps to mitigate and contain the spread of COVID-19 or the Coronavirus as its more commonly known as. Equally as a citizen one should also be aware of our rights when it comes to the processing of our personal data.
Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).
Any measures you take involving the use of personal data, including health data, should be necessary and proportionate.
When you are acting on the guidance or directions of public health authorities, or other relevant authorities you are allowed to process personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
Any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.
The identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.
Ensure you document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.
Employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, and in the current circumstances, employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms.
Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.
There would be no data protection implications in bringing the HSE recommendations to the attention of staff and visitors, if they have recently travelled to an affected area and/or are experiencing symptoms, and requesting that they take any appropriate actions.
While employers have a legal obligation to protect the health of their employees, employees also have a duty to take reasonable care to protect their health and the health of any other person in the workplace. In this regard, employers would be justified in requiring employees to inform them if they have a medical diagnosis of COVID-19 in order to allow necessary steps to be taken.
However, it is important to keep in mind that the recording of any health information must be justified and factual, and must be limited to what is necessary in order to allow an employer to implement health and safety measures.
Employers should follow the advice and directions of the public health authorities, which may require the disclosure of personal data in the public interest to protect against serious threats to public health.
Employees should follow the advice of their healthcare practitioners and the public health authorities in these circumstances, who will instruct them as to what they need to do if they present symptoms of COVID-19.
Employers have a duty of care to employees to provide a safe place of work, which may require them to exercise discretion regarding access to premises. In a situation where an employee has confirmed that they have COVID-19, advice should be sought as a matter of urgency from the public health authorities as to what steps should be taken.
The decision to send employees home from work is not a data protection matter and may have other consequences for employers relating to employment law e.g. entitlement to sick pay.
This should be avoided, in the interests of maintaining the confidentiality of the employee’s personal data. For example, an employer would be justified in informing staff that there has been a case, or suspected case, of COVID 19 in the organisation and requesting them to work from home. This communication should not name the affected individual.
Disclosure of this information may be required by the public health authorities in order to carry out their functions.
Data Influence blogs and stories are provided for information only, not legal advice. Always consult your lawyer on legal matters.