The Information Commissioner’s Office recently updated its guidance to data controllers on their data processing obligations during the Covid-19 pandemic. The updated guidance provides organizations with six key privacy steps, as well as expanded guidance on the use of testing and surveillance in the workplace.
Coronavirus Recovery – Six Data Protection Steps for Businesses
On June 16, 2020, Information Commissioner Elizabeth Denham posted a blog outlining the six top steps she recommends for organizations to focus on their privacy practices right now.
While the key steps merely summarize the key data protection principles that apply to the processing of personal data under the Data Protection Act, the blog is a helpful reminder of the key points companies should consider when considering new processing activities as a result of Covid-19 :
- Collect and use only what is necessary: Make sure that only the personal data is collected that is necessary for the safety of your workplace and that other measures can lead to a safe environment without the need to collect additional data.
- Keep it to a minimum: Collect only the personal data that is necessary to implement new security measures appropriately and effectively. This is especially important when you want to collect health data from employees, such as when you want to record symptoms and test results.
- Be clear, open and honest with employees about their data: Think about whether and how employees may be affected by any of the measures implemented in your response to Covid-19. Remember to be transparent with employees about what information you are collecting from them and what you will do with it.
- Treat people fairly: Similarly, some people may be at risk of discrimination based on the information (particularly health data) they may want to collect. Think about what steps can be taken to ensure employees are treated fairly.
- Protect people’s information: In accordance with your normal privacy practices, it is important to continue to ensure that all information collected during the pandemic is kept safe. Reconsider your retention policy to handle new types of information that should be temporarily retained.
- The staff must be able to exercise their information rights: According to point 3, it is important that individuals continue to be informed about how their data is being used and what rights they have. As part of this exercise you can decide whether a data protection impact assessment (DPIA) should be carried out if new data processing could lead to a risk for data subjects.
Workplace tests for Covid-19
A number of organizations are looking for workplace tests to reduce the risk of their employees becoming infected with Covid-19. Tests in the workplace raise a number of data protection issues that must be taken into account in addition to the employer’s obligations under labor law and health and safety law. After initially publishing a brief guidance document, the ICO expanded its guidelines on workplace tests for Covid-19, which are provided through an accessible FAQ format.
Key questions include: “When they return to work, I want to run tests to see if my employees have symptoms of COVID-19 or the virus itself. Do I have to consider data protection law?”, “How do I decide whether Symptoms appear? ” Do you need to review, test and process employee health data? “,” Can I choose to have my employees screened or tested for COVID-19 symptoms? “,” How often should I check for symptoms or test staff? “and” Can I share the fact that someone has tested positive with other employees? “.
The ICO’s overarching message is that data protection law does not prevent organizations from testing employees for Covid-19. Before any organization does this, however, there are a few things to consider:
- Identify what goals you want the tests to achieve: For example, you can operate a production facility where many employees work in close proximity and want to ensure a safe work environment.
- Consider whether testing is required to achieve these goals: Test results are classified as special category personal data. Therefore, you should only process this type of information when absolutely necessary. If other measures could achieve the goal of a safe work environment, tests may not be appropriate. It is important to ensure that a testing regime is proportionate and that less intrusive measures can achieve the same goal. For example – could employees be asked to maintain social distance, wear masks, or work from home instead? Or could testing be limited to employees performing certain higher-risk tasks?
- Identify your legal basis for processing the data related to the tests: The test results are personal data of the special category. Therefore, the legal bases from Articles 6 and 9 of the GDPR and all other requirements of the Data Protection Act 2018 should be determined) and the employment condition from Article 9 (2) (b) can be used for private organizations, but each organization must draw its own conclusion and be able to justify the legal bases on which it wishes to rely. In particular, trust in the terms of employment requires the employer to provide evidence that tests are required for his or her special obligations under labor / health and safety law.
- Data protection laws are just a consideration before implementing a test regime: It is recommended that organizations review and, if necessary, seek advice on what other regulations and laws may affect a mandatory test system. For example – health and safety laws, labor laws, and equality laws.
- Pay attention to who the test results are shared with: All health information collected from employees during the pandemic, including test results, should be made available to the smallest possible group. The ICO asks whether access could be restricted to medically qualified personnel, employees who work under certain confidentiality agreements, or employees in suitable positions of responsibility. Also, make sure that employees have complete visibility into how and with whom their data can be shared. Testing laboratories may be required by law to report positive results to health authorities.
- Record keeping and accountability requirements: It is clear to the ICO that organizations that will carry out tests on employees for Covid-19 must process personal data of the special category (especially health information) and carry out a DPIA before the start of the test program. The DPIA process should help determine whether an organization’s testing program is required, what legal basis it will rely on, and what impact this might have on data subjects in order to effectively manage risks. This is especially important if a third party is in any way involved in conducting or facilitating the exam.
Workplace tests are only appropriate under certain circumstances. Therefore, it is important that companies carefully examine the privacy issues and contact employee representatives before starting the testing program.
Workplace surveillance and Covid-19
While some organizations implement testing programs for employees, others may look for other ways to ensure a safe work environment, such as using thermal imaging cameras or CCTV systems. Like its other recommendations and advice highlighted above, the ICO wants to stress that data protection laws do not prevent employers from thinking about how to protect their employees and jobs during the Covid-19 pandemic.
Regarding the use of intrusive technologies such as thermal controls and thermal cameras, the ICO reminds companies that the proportionality of their use and transparency towards individuals are of vital importance. The ICO’s view is similar regarding the use of CCTV cameras to monitor employee compliance with health and safety measures. Again, it states that the application of these measures must be necessary, justified and proportionate. For example, can these systems be used in such a way that no personal information is recorded about an individual, but merely provides that individual with the result and instructions on what to do if the system suggests they are high?
Before using these monitoring methods, an organization should assess whether employees would expect their data to be used for these purposes and in this way and conduct a DPIA to confirm that this type of processing is appropriate in the circumstances. Employers also need to take into account that a high temperature can be caused by a number of factors unrelated to Covid-19 and not necessarily indicative of any illness (whether Covid-19 or otherwise).
If you are using these technologies to monitor an employee’s movements in the past, consider carefully whether they should test positive for Covid-19 at a later date. Monitoring in this way can reveal additional information about an employee’s private life to which they are entitled to a degree of privacy.
Collection of customer and visitor data for contact tracking
Finally, the ICO has published some guidelines for companies asking them to collect contact information for customers, visitors and employees for contact tracing purposes.