Coronavirus and Employee Data, Part 1

With lockdown unwinding and the return to work, here's what you need to know

Privacy issues of coronavirus and returning to work is a big topic, whether you’re a pub, a small office, you’re in the public sector or an international enterprise.

While there are specifics that will apply to each organisation, the core Privacy issues are the same for all.

And stay with us as we’ll lead you through completing your DPIA at the same time in 10 Key Steps!  Feel free to pause along the way to jot down your first draft.

This is Part 1 of 2, and we’ve likewise split the Privacy Kitchen video into two parts.  In this Part 1, we’ll go to the source, the GDPR, as well as the UK ICO’s 6 Steps.  We’ll also reference the amazing guidance from New Zealand’s Privacy Commissioner – highly recommended.

You can also watch our free video  ‘Coronavirus & Employee Data Part 1’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

Links are in the notes below, as always.

Coronavirus & Employee Data Part 1

Eyes and ears open!

Now, one certainty about coronavirus is the situation will constantly change.  This post was made on 27 June 2020.  The GDPR aspect won’t change, but do keep an eye out on regulators’ guidance, emergency laws for sectors, etc.

Myth-slaying

Now, first, let’s be practical straight off and kill a big myth with a great statement from the UK Information Commissioner, Elizabeth Denham:

‘Data protection does not stop you asking employees whether they are experiencing COVID-19 symptoms or introducing appropriate testing as long as the principles of the law – transparency, fairness and proportionality – are applied.’

This has been reflected outside the UK in a Joint Statement from the Council of Europe and the Committee of Convention 108, saying it’s important to recall data protection can in no manner be an obstacle to saving lives.  It’s all about balancing the interests at stake.

But you do need to comply with the law, and the UK ICO summed it up nicely there.  They go on to say it’s all about ‘being proportionate – if something feels excessive from the public’s point of view, then it probably is.’

And that’s reflected in that Joint Statement, which said employers should respect the principles of necessity, proportionality and accountability and be guided by principles designed to minimise risk to employees.

So we’ve seen that GDPR does not stop you, and we’ve seen that there’s a nice framework about how to go about it.

Stick around – we’ll show you exactly how to do it!

Documentation & Accountability

So, the first thing is to recognise this is clearly a sensitive topic.  Let’s make sure we cover off GDPR’s 7th Principle – Accountability – from the start.

We recommend you put all of this into a document, call it a Draft Data Protection Impact Assessment, or DPIA.  It’ll save time later on – you need to do a DPIA anyway, and doing it this way will make it super simple.  You’ll also have shown you’ve implemented ‘data protection by design‘ and ‘by default‘.

Now, Keepabl and other providers have template DPIAs and the regulators like the UK ICO make them available for free.  If you’ve got a DPO, you’re going to need their advice on it anyway, and they will give you your template.

The key thing though, under GDPR, is there’s no set form to use for a DPIA.  As long as you cover GDPR’s requirements in Article 35, you’re fine.  It’s the minimum a DPIA should cover:

You can see it’s obviously what we need to be thinking about in this situation anyway.

Now you could even copy and paste these requirements into a document and use them as headings in your DPIA.

OK, open up a new document, grab a coffee, and let’s get started!

Frameworks

Now we’ve already identified three frameworks we’ll use to look at this:

  • GDPR’s 7 Principles,
  • the UK ICO’s 6 Steps, and
  • the DPIA requirements.

This is our 1st Key Step for your DPIA: make a note of these frameworks in your draft DPIA so you can show you thought about the right things.

We’ve already talked about accountability, GDPR’s 7th Principle. Now let’s set out all seven …

and here are the UK ICO’s 6 Steps:

Now we won’t follow the strict order of the UK ICO’s steps here, but they’re correct to start with only collecting what’s necessary and keeping it to a minimum, of course.  If you don’t collect information, you can’t misuse it, you can’t keep it for too long or disclose it inappropriately.

But necessary for what?

Purpose

So, you first need to identify why you’re collecting the personal data at all.  What’s your purpose?  And, presumably, the purpose we’re talking about here is to maintain a safe working environment – it’s the right thing to do morally, but you’d also be liable as an employer if you didn’t, under health and safety and employment laws.

Now you won’t use this data for any other purpose than the ones you specifically set out.  This is GDPR’s 2nd Principle: purpose limitation. And this is our 2nd Key Step for your DPIA: make a note of your purpose in your draft DPIA.

Risk assessment & appropriate measures

This is the UK ICO’s 4th point.

We know the purpose now, so we need to flesh out how we’re going to achieve that purpose and we’re going to assess the risk to individuals from our processing.  Now remember – GDPR just doesn’t care about the risk to your organisation, it’s all about the individuals.

But otherwise risk assessments for GDPR are very familiar:

  • you identify the threats and vulnerabilities,
  • you look at the risks and then the ultimate damage to individuals,
  • you look at the measures you can put in place, and
  • you then look at the risks, you quantify the likelihood of them happening and the impact if they do, and you combine them together to get a risk rating.

Now, a second key aspect of GDPR and risk is you can’t move forward with high-risk processing without getting advice from the regulator.  So you’re going to be prioritising the high risk, which this will be – likely high risk – and put in place sufficient measures to mitigate that down to acceptable levels, if not negligible or negate it entirely.

The UK ICO gives some great high-level questions to think about here:

  • How will collecting extra personal information help keep your workplace safe?
  • Do you really need the information?
  • Will any test you’re considering actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information?
  • Can the collection of health information be confined to high-risk roles?
  • Can access to the health information be limited, so it’s only seen by, for example, medically- qualified staff, those working under specific NDAs or particular positions of responsibility?
  • Are there reasonable alternative measures that don’t rely on personal information, such as strict social distancing or working from home?

And, as the UK ICO advises, don’t look at this at the generic level only.  You then need to consider the specific circumstances of your organisation or workplace. Things like:

  • the type of work you do,
  • the type of premises you have,
  • whether working from home is possible,
  • any specific regulations or health and safety requirements that apply to your organisation and staff, and
  • any duty of care that you owe to them.

Now don’t worry!  You don’t need to write War & Peace, but you do need to consider the key issues, in particular that risk assessment and the measures in place.  As the UK ICO notes, if you can show that your approach is reasonable, fair and proportionate to the circumstances, it’s very unlikely data protection would be a barrier.

Getting there!

OK, great progress!  We’ve now identified the risk to individuals, the best way to minimise that risk with necessary and proportionate measures, not just from a health viewpoint or a privacy viewpoint, but from a holistic view point.  We’ve dealt with the fairness part in GDPR’s 1st Principle, and this is our 3rd Key Step for your DPIA: make a note of the risks you’ve identified, their likelihood, impact and final risk rating after the measures you put in place to address those risks, and put that into your draft DPIA.

We’ve also identified it’s the minimum personal data necessary to accomplish the purpose.  We confirmed there’s no other way to achieve that purpose, and minimise the risks, that uses less data.  This also addresses GDPR’s 3rd Principle: data minimisation.

And, in working out how to collect the data, you’ve ensured that all forms, if you’re using them, are easy to understand, that the data is easy to correct, you’ve looked to minimise any errors, perhaps with automated collection.  So you’ve addressed GDPR’s 4th Principle: accuracy.

Now, when you’ve fully considered and answered these, this is our 4th Key Step for your DPIA: write down the personal data you need your purpose, why it’s the minimum personal data, that you’ve looked at other ways and this is the way to minimise the data you’re going to collect.

Special categories

‘Special categories of personal data’ is a reason to be particularly careful when considering all of this, because the personal data you’re collecting is health data, which is a special category of personal data under GDPR.

There’s an even stronger presumption against processing special categories due to the higher risk that they present to the individual data subjects.

So, first, here’s GDPR’s definition of health data – you can see it’s obviously data relating to someone’s physical or mental health.  It’s also information revealing information about his or her health status.  So it extends beyond that direct information:

‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’

As long as the information reveals something about their health status, it’s health data. It could be an appointment with a specialist and that reveals something about their health.  Recital 35 in GDPR gives more guidance, as does the UK ICO’s excellent guidance.

Right!  We’re halfway through!  This is our 5th Key Step for your DPIA: itemise which of the personal data you’re collecting is special categories – and probably health data – and which isn’t.

See?  DPIAs aren’t so scary.  We’re filling it up nicely.

Now, we’ll pause at this point, and we’ll come back in Part 2.

Links

GDPR

UK ICO’s Coronavirus recovery – six data protection steps for organisations

UK ICO Coronavirus recovery – data protection advice for organisations

Convention 108

Joint Statement on the right to data protection in the context of the COVID-19 pandemic by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe, Strasbourg, 30 March 2020 

UK Gov

Law Society Guidance for law firms on safe return to the office

New Zealand Privacy Commissioner’s Coronavirus Hub

New Zealand Privacy Commissioner’s Information for hospitality businesses and event organisers

New Zealand Privacy Commissioner’s Advice to the Hospitality Industry 22 March 2020

New Zealand Privacy Commissioner’s Information for employers and employees

Rippl

IoD Coronavirus Support Hub

FSB on Coronavirus for SMEs and self-employed

Osborne Clarke on Medical monitoring and testing

Lewis Silkin, Coronavirus – FAQs on managing a safe return to work

Eversheds Sutherland Coronavirus – Beyond lockdown: returning to work – UK

Contains public sector information licensed under the Open Government Licence v3.0