A recent survey conducted by William Fry revealed that staff notification of a colleague’s suspected or confirmed diagnosis with COVID-19 is employers’ main data protection concern when it comes to employees returning to the workplace.
Leo Moore, Catherine O’Flynn and Nuala Clayton led a panel webinar hosted by Walters People on health & safety, employment law and data protection considerations related to the return to work, following the outbreak of COVID-19. Half of the webinar attendants, when surveyed, cited data protection concerns around the issuance of staff notifications of a suspected or confirmed case of the virus in the workplace, as their main concern.
Guidance on the Return to Work
The Return to Work Safely Protocol, published by the government in May, provides guidance on dealing with confirmed cases of COVID-19 in the workplace. This guidance sets out that, where a case is suspected or confirmed among employees, a response plan should be in place. Data protection elements, however, are not addressed in the guidance. The Irish Data Protection Commission (DPC) also published guidance on Data Protection and COVID-19 in early March. Neither however, provide guidance specific to dealing with the data protection issues which could arise as workplaces begin to reopen.
If there is a suspected / confirmed case, what should you do?
As referenced in our recent briefing, Returning to the Workplace, employers can inform staff about suspected or confirmed COVID-19 cases among employees however, they must take appropriate protective measures when doing so. Employers should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventative context), the concerned employees should be informed in advance of the communication. Their dignity and integrity should be protected.
When revealing personal data of an infected person, organisations need to consider the GDPR principles of transparency, confidentiality, data minimisation and retention/deletion; these are of paramount importance for employers when managing COVID-19. Data minimisation means that the amount of data processed should be kept to a minimum and not stored for any longer than, nor disclosed unless necessary, to achieve the purpose for which the data were collected. Employers should, therefore, be wary of divulging the identity of individuals with confirmed cases to other employees and only do so in special circumstances, as assessed on a case by case basis.
Updating data protection notices to legally process additional personal data
Another data protection concern, for a notable 45% of our webinar’s attendees, was the requirement to update notices, policies and procedures to legally process additional personal and health data (special category data). Employers collecting special category data using return to work questionnaires or temperature checks will need to provide additional information on both forms of data processing in an updated or supplemental notice to employees.
In accordance with GDPR obligations, employers should supplement existing notices or provide a specific notice about further processing of personal data detailing:
- Categories of data subject affected;
- Categories of personal data processed;
- Purpose and legal basis of the new data processing activity; and
- Data retention policies.
Please click here to watch the full webinar where Catherine O’Flynn, Leo Moore and Nuala Clayton join Walters People to discuss how employers can best prepare its “Workplace of the Future” in light of COVID-19.
Contributed by Karolina Rozhnova and Nicole Fitzpatrick