Returning to the Workplace - Respecting Employees’ Right to Privacy

Practice Lead - Privacy, Cybersecurity & Information Resilience, Consulting Services, BSI

Conor Hogan

Global Practice Lead - Privacy - Cyber, Risk and Advisory at BSI

Article published 28 June 2021

Providing a safe workplace

The past 18 months have seen the transformation of nearly every aspect of our world. All organizations will have managed different challenges during the pandemic and as governments ease lockdowns, many businesses are planning for employees to return to the workplace.

However, this will not be a return to “normal” and employers will need to consider the implementation of new work practices to ensure a safe workplace and to manage the risk of Covid-19 infection in the context of medical privacy and bodily integrity, vaccination rollouts, infection control and reopening society.

There is also a duty of care for employers to balance numerous considerations, including employee safety, public health advice and the privacy implications of the return to the workplace, and the data protection rights of employees.

Determining whether you collect additional information relating to employee health, wellbeing, vaccination status or other new processing must start with some simple questions:

  1. Is it lawful?
  2. Is it necessary?
  3. Is it proportionate?
  4. Is it transparent?

Each instance of collection or use of new data requires a careful case-by-case assessment of the lawful basis for which it might be collected and/or used, the necessity and proportionality of that collection or use, and consideration of how transparent the collection and use is to your employees. In addition, minimising the amount of data you collect and the length of time you retain it are pragmatic controls that reduce the risks associated with these new processing activities.

Keeping infection out of the workplace will involve a range of actions to be taken, and based on available guidance from data protection authorities, the fundamental data protection principles of lawfulness, necessity, proportionality and transparency are critical. Helpful guidance is available from many data protection authorities, for example:

  • European Data Protection Board:
    • Statement on the processing of personal data in the context of the COVID-19 outbreak [1]
  • Irish Data Protection Commission:
    • Data Protection implications of the Return to Work Safely Protocol [2]
    • Processing COVID-19 Vaccination Data in the context of Employment [3]
  • UK’s Information Commissioner’s Office:
    • Data protection and employee data during coronavirus - six data protection steps for organizations [4]

Lawfulness

The starting point for most businesses will be to try and keep infections (and therefore infected individuals) out of the workplace and to prevent others from being infected through close or casual contacts in the workplace.

Implementation of new workplace measures may result in the collection of significant amounts of personal data, including health information which is treated as special category data under the GDPR (and UK data Protection law) so is subject to additional protections.

New processing activities relating to new Covid-19 control measures must be based upon a clear lawful basis for those activities. This means being crystal clear that an appropriate legal provision facilitates these measures.  There are a number of lawful basis under data protection laws that could justify the processing, but employers should avoid any reliance on their employees’ consent. This is due to the natural imbalance of power between the employer and the employee, meaning that any consent obtained is not likely to be freely given and is therefore not valid.

  • Personal data (Article 6, GDPR): The most likely lawful basis will be that the processing is:
    • necessary to comply with a legal obligation, e.g. the business’ duty to provide a safe working environment, or
    • in the business’ legitimate interests and those interests are not overridden by the rights of the individual.
  • Health data (Article 9, GDPR): Again, the most likely lawful basis will be that the processing is:
    • necessary to comply with a legal obligation, e.g. the business’ duty to provide a safe working environment.
    • However, it might also be possible to justify the processing as being necessary for public health reasons, subject to an enabling piece of legislation underpinning the processing.

Transparency and communication

Employers need to comply with transparency requirements of data protection law (e.g. the EU General Data Protection Regulation, or UK Data Protection Act 2018) and provide to their employees suitable notice to explain why the data is collected, in a simple and clear manner.

This notice should disclose the lawful basis for the collection of the information, the explicit purpose(s), how long it will be retained, if and when it might be shared with a third party (such as a government agency), and who employees can contact if they have any questions or to execute their data protection rights.

Employees should also be protected from discrimination, especially where there is no legal obligation on them to disclose information to their employer. The relevant jurisdiction’s employment and anti-discrimination legislation will need to be carefully considered in the context of any processing activities.

Considerations of new control measures in the workplace

Covid-19 Questionnaires: Employers have a duty of care to their employees and should ask them to follow public health advice relating to the management and treatment of symptoms and infection control. Careful considerations on screening employees on their return to the workplace is needed such that proportionate decisions are documented regarding what information is collected, that it is minimised to the absolute minimum necessary, it is securely stored, retained only for as long as is needed and is only disclosed as appropriate.

Temperature checks: Adhering to public health advice for any screening of employees is the absolute minimum. However, checking temperatures of employees represents a significant exposure to a potentially unnecessary and disproportionate use of personal data. Reducing this processing to the most minimal as possible – i.e. a simple check that is applied when the individual enters the workplace and ensuring the result is not recorded, or combined with any other data - helps minimise these risks.

Covid-19 testing: Employers have an important role to play informing employees what options are available for testing and/or arranging for additional testing if appropriate. Depending on the workplace environment businesses may want to test their employees to determine if they have actually been infected by Covid-19. Employment law will have to be taken into account and careful consideration of the lawful basis of submitting employees for testing and accessing or requesting test results is required.

Tracking: Businesses will also want to track the level of infection within the business in order to assess the overall risk to the business and the effectiveness of the measures taken to combat infection. This is likely to mean businesses keeping records of which employees are vulnerable and shielding/cocooning, those that might potentially be infected and are self-isolating, those currently infected or who have previously been infected. Sharing this information with the relevant public health and welfare authorities might be required. Retaining this information for as short a time as possible is an important control measure.

Contact tracing: If an employee is found to be infected, businesses may want to warn those who have been in close contact with the employee about the risk they have also been infected. However, the confidentiality of this information is paramount and the information provided should be on a limited basis, if at all. Typically, the public health authorities should make contact with close or casual contacts thus removing risks from the employer

Vaccination Status: Returning to the workplace means redesigning many work-spaces and offices to account for increased physical-distancing between individuals and ensuring increased infection controls are in place. Employers could look to segregate non-vaccinated and vaccinated staff, or perhaps require non-vaccinated staff to remain working from home or remote locations (if their job might allow). However, processing the vaccination status of employers is likely not considered a necessary or proportionate measure in most employment situations and should therefore not be undertaken.

Top tips for employers

Key to the case-by-case proportionality assessment required and compliance with the wider obligations under data protection laws are the safeguards applied to the data, such as ensuring the personal data is held securely, is not retained for longer than is needed and is not transferred to third countries or third parties without adequate protections and safeguards.

When processing personal data, including health data, suitable safeguards must be implemented to include limiting access to the data and ensuring adequate training for staff to protect rights of data subjects.

Similarly, there should be arrangements in place to ensure this personal data is deleted once it is no longer required, though business should be alert to any statutory retention periods (e.g. for health and safety records) which might greatly lengthen the period this data must be held for.

Where possible, organizations should consider adopting pseudonymised or anonymised data approaches to reduce the risk of the identification or reidentification of their employees.

It is important to properly document the decisions, risk assessments, case-by-case considerations and the controls established to manage the issues including the data protection compliance obligations presented by your organization’s response to the Covid-19 pandemic. Data protection laws mandate a data protection impact assessment (DPIA) is carried out prior to high risk processing activities commencing, and this is particularly relevant for organizations that introduce any new technologies, including tracking systems, screening checks and in planning a return to the workplace in the new post-pandemic world.

How can BSI support you?

At BSI, our Privacy Practice supports organizations across all stages of their privacy and data protection compliance journey. Our team consists of industry certified and experienced privacy leaders, consultants, and project managers operating across the globe. 

Our services include:

Interested in knowing more? Contact us for more information:

Call: IE/Intern +353 1 210 1711 or UK +44 345 222 1711

Contact us now >

 

References:

[1] European Data Protection Board: Statement on the processing of personal data in the context of the COVID-19 outbreak. Adopted on 19 March 2020

[2] Data Protection Commission: Data Protection Implications of the Return to Work Safely Protocol. Version: June 2020

[3] Data Protection Commission: Processing COVID-19 Vaccination Data in the context of Employment. Version: June 2020

[4] Information Commissioner's Office: Data protection and employee data during coronavirus - six data protection steps for organizations

About the authors:

Conor Hogan

Global Practice Lead - Privacy - Cyber, Risk and Advisory at BSI

 

Conor is an experienced privacy, data protection and information security advisor with more than a decade’s experience in consultancy and audit. Conor has extensive knowledge of designing, implementing and operating enterprise-wide privacy programs.