HR data during the pandemic
Given the unprecedented events of recent weeks, it is perhaps fair to say that data law compliance has not been at the forefront of most employers’ minds. However, it is important that businesses remember that data protection legislation (including the UK’s Data Protection Act 2018 and the European’s General Data Protection Regulation (GDPR)) continues to apply during the pandemic, which is particularly important given many employers are now collecting (or plan to collect) additional health data.
Employers will collect and process a lot of personal data about its workforce in the usual course of business. Provided they can justify this by relying on a lawful basis under the GDPR (for example, a legitimate interest and/or in order to perform a contractual obligation) this processing will be lawful. However, employers are still required to ensure that they handle such data securely, keep it up-to-date and do not retain it for longer than necessary.
In order to manage the impact of the pandemic, many employers are collecting additional personal data about their staff (for example, whether they are displaying COVID-19 symptoms or living with somebody who does, where they have recently travelled and/or the results of any COVID-19 testing). In addition, some employers are considering implementing new measures as part of their return to work strategies (such as mandatory temperature checks), which would result in them collecting even more personal data from their staff members. Most of this additional data will be considered a ‘special category’ of personal data, and as such, will be subject to more stringent measures.
Lawful processing and limitations regarding health data
Under the GDPR, in order to lawfully collect data about their worker’s health, employers will need to satisfy a ground under Article 9. For UK employers, in most cases, this is likely to be Article 9(2)(b), which permits the processing of data for ‘employment, social security and social protection’ reasons, so enabling employers to comply with UK health and safety legislation requiring them to take reasonable steps to look after their workforce. The collection by employers of workforce heath data is also implicit from recent government guidance and so claiming that such data collection is unlawful is unlikely to hold any sway.
However, employers still need to be mindful of their general data protection obligations and consider why they need specific data and/or whether there are other ways to achieve the same outcome in a less intrusive way. For example:-
- employers only need to know whether an individual is living with somebody displaying COVID-19 symptoms; they do not need to know information such as that person’s name (to ensure they do not end up processing personal data about a non-staff member) and/or that person’s relation to the member of staff (which could, for example, disclose a staff member’s sexuality)
- if an employer conducts daily temperature checks when their workplace re-opens, they are unlikely to need to record the names of those tested and/or their temperatures on a specific day where the individuals in question do not have an abnormal temperature.
It is also important that employers have sufficient safe-guards in place to protect against misuse of personal data and that access is restricted to a ‘need-to-know’ basis. For example, employers should not disclose which workers are infected to other team members, unless this is absolutely necessary. Information should also only be kept for as long as it is required.
Data Protection Impact Assessments
Before introducing any new method of collecting personal data (especially biometric data) which is likely to result in a high risk to individuals, employers should conduct a well-documented data protection impact assessment (DPIA) before collection starts (or as soon as possible afterwards). A DPIA is intended to help businesses understand the risks associated with particular data processing activities and identify the measures that can be taken to mitigate such risks.
Staff privacy notice
All employers are required to have a staff privacy notice which explains what personal data an employer processes, why and details about the manner in which it is retained. Employers should check their privacy statements and policy documents and update them to reflect any changes which have arisen in the context of the pandemic.
Individual’s rights under the GDPR
Under the GDPR, individuals (including employees) have the right to make requests in respect of their personal data (e.g. a subject access request) which need to be responded to within a statutory time frame. In the current circumstances, with workplaces closed and a large proportion of staff working from home, these will be harder for employers to comply with. Whilst the UK’s data protection regulator has said that it will take a pragmatic approach in respect of data law compliance, it is important that employers have a way of tracking any requests and responding to them as quickly as they can. If an employer cannot meet a deadline, they should communicate that to the relevant individual as soon as possible.
The current global crisis is evolving rapidly, and the rules and guidance for individuals, companies and other entities to manage its implications are similarly fast moving. Notes such as this may be out of date almost as soon as they are published. If you have any questions prompted by this article or on any other matter relevant to you, please get in touch with your usual contact at Forsters.