COVID-19

COVID-19: Data Protection

Mike Harris Mike Harris

While the coronavirus outbreak is spreading throughout Europe, many public and private organisations are taking measures to contain the virus by putting in new ways of working and also asking for a lot more information from their staff.

The largest physical change is most companies are now allowing their staff to work from home (where possible).

The additional information businesses now need, includes asking staff to communicate to their Human Resource contact if they have any Covid-19 symptoms, if they have been tested positive/negative for Covid-19.  Travel information is also being requested around staffs with requests to complete a form to declaring if they have travelled to/from specific areas or if they have been in contact with people affected by the virus.  Staff who have travelled or whom are considered at ‘risk’ due to potential contacts, are being asked about their current health status.

In performing these actions, companies are collecting special categories of personal data (e.g. health data) from their employees, which under the GDPR need special protections; hence, data controllers must ensure the protection of the personal data of the data subjects.

The Information Commissioner's Office (ICO) published helpful guidance on these issues: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/

Key points are:

  • data protection will not stop companies collecting and sharing personal data quickly as required by this unusual situation;
  •  the principle of proportionality must be taken in consideration;
  • usual practices and standards like responding to rights requests may take longer during the pandemic and should be communicated to the data subjects; 
  • there is no barrier to increased home working, companies need  to consider the same kinds of security measures for homeworking that you’d use in normal circumstances;
  • companies should keep staff informed about Covid-19 cases in the organisation without naming the individuals;
  • companies should not provide more information than necessary;
  • companies have an obligation to ensure the health and safety of your employees; 
  • companies can ask people to tell them if they have visited a particular country, or are experiencing COVID-19 symptoms;
  • the principle of data minimisation applies; and
  • data protection law doesn’t stop companies to share personal data of an individual with authorities when necessary.

What companies should review and take in consideration:

  • Employees’ Privacy Notices: update your “employees’ privacy notice” to include this specific processing of health data or consider to draft an ad-hoc employees’ privacy notice;
  • Visitors Privacy Notice: if you collect information about visitors or other individuals who are not your employees, make sure you have a privacy notice for them;
  • Register of Processing Activity (RPA): review your RPA to include this new process;
  • Forms: review all forms used to collect personal data related to Covid-19 for data minimisation and transparency purposes;
  • Training: make sure that who is dealing with the Covid-19 data has received the appropriate training required for handling special categories of personal data;
  • Access control: restrict the access of health data; and
  • Retention: consider how long you need to store any additional data collected.