We've set out below some commonly asked questions that have arisen in recent weeks.
Can I collect additional employee personal data during the pandemic, including data about travel destinations and COVID-19 symptoms?
In short, yes:
Personal data: A legal basis under GDPR for processing personal data needs to be identified for each new processing activity in relation to personal data, including the collection of new types of personal data, such as asking whether an employee has visited high risk countries. The lawful basis of consent is generally difficult to rely on in an employment context; the employer-employee relationship means that any consent is unlikely to be freely given. The most appropriate legal basis to rely on would therefore be legitimate interests, provided that such interests are not overridden by the data subject's fundamental rights and freedoms (see below for further information).
Sensitive personal data: Data about an employee's health, including whether or not they are experiencing COVID-19 symptoms, is sensitive, or "special category" personal data as defined under the GDPR. As well as requiring a lawful basis for processing under Article 6 GDPR, companies need an additional justification to process this data under Article 9. The most commonly used conditions under Article 9 are consent and necessity. As discussed above, consent in an employment context is unreliable, which leaves the alternative "necessity" conditions, such as substantial public interest and public health interest (for example, protecting against serious cross-border threats to health). Guidance from the UK data protection regulator, the Information Commissioner's Office ("ICO"), sets out that "necessary" means (i) the purpose of the processing must be more than just useful or habitual (but does not have to be absolutely essential), (ii) the processing should be conducted in a targeted and proportionate way and (iii) the processor must not be able to reasonably achieve the same purpose by some other less intrusive means (e.g. if you could achieve the same purpose without the use of special category data).
What are the rules for collecting such personal data?
Employers have a duty to ensure the health and safety of their employees; but any data collected should be proportionate in the circumstances. The ICO's guidance1 stated that it is reasonable to ask employees to tell you if they've visited particular countries or are experiencing COVID-19 symptoms. As always, the context of the particular situation will be highly relevant and therefore whether particular information can be collected will need to be assessed on a case by case basis. For example, extensive health screening of employees working in the food sector, which is subject to hygiene standards, is more likely to be considered proportionate than similar testing of office based employees. See below for some examples of the types of data that you may wish to collect and the relevant considerations.
1 Dated 12 March 2020
Once I've collected the personal data, am I allowed to share it with others?
Employees/group companies: The ICO has advised that informing employees that a colleague may have contracted the virus is permitted by virtue of the employer's duty of care and to ensure employees' health and safety; such information may for example facilitate contact tracing and thereby reduce virus exposure. However, this should be done on an anonymised and need-to-know basis, disclosing the minimum data required. If health data needs to be shared with your other group companies, contractual protections should also be put in place.
Other third parties: Data protection does not prevent employers sharing data with other third parties providing that there is a legal basis for doing so, but such transfers should be proportionate. Where the third party is not a public authority, it is particularly important to diligence the third party's ability to comply with its processing obligations under data protection legislation including considering how secure the data will be under its control. Of course, also remember to document the sharing of such data with sufficient contractual protections.
Transfers outside the EEA or the UK: In addition to the above, remember that additional safeguards (such as "model clauses") will be needed if you want to transfer personal data to an entity in a country outside the EEA or the UK which is not the subject of an adequacy decision. On the other matter of the moment – Brexit – the ICO has confirmed that during the transition period, it is business as usual, and so transfers of personal data outside the UK should still be undertaken in accordance with the GDPR requirements, and the European Commission's model clauses can still be used to govern them (albeit that some amendment will need to be made to make it clear that they are intended to cover transfers of personal data from the UK, not just the EEA). For further Brexit/data protection guidance, please see our briefing on the topic.
What documentation do I need to achieve and demonstrate compliance?
You will need to consider whether the following documentation needs to be drafted or updated:
- a data protection impact assessment, which is required for any processing that is high risk (special category data is more likely to be considered high risk);
- an appropriate policy document will need to be completed if you are relying on certain grounds under Article 9, including where you are collecting on a substantial public interest ground such as protecting the public. You may well already have one in place for the special category data which you already process as an employer/business, in which case you'll need to update it appropriately to account for any new special category data which you are collecting;
- data protection records, which may need to be updated, for example to reflect any additional categories of data you are processing;
- a legitimate interests assessment, which is required if you are relying on the legitimate interests basis under Article 6(f) GDPR; and
- contractual protections, which are required if you are sharing personal data for instance on an intra-group basis or with another third party.
We also suggest updating all data collection notices, to the extent necessary, so that you are transparent as possible about the data you are collecting, what you are using it for, and who you intend to share it with.
Are there any other considerations?
There is likely to be a continued surge in homeworking as employers seek to minimise employees' exposure to the virus and comply with the UK government's advice regarding social distancing. Employers should remember their ongoing obligation under GDPR to take appropriate technical and organisational measures in respect of the personal data they process, to ensure a level of security appropriate to the risks associated with the processing. This is especially important where you and your employees deal with special categories of personal data and/or highly confidential customer data. Remind employees of the policies that continue to apply when working from home, (e.g. regarding acceptable use, privacy and security) and that only company approved devices and methods of communication are permitted (unless you have implemented a robust bring your own device policy).
The ICO has recognised that companies may need to divert resources from usual compliance activities and has issued guidance stating that it will not take regulatory action against organisations which have received an information rights request but need to prioritise other areas of their businesses; the ICO has advised that statutory timescales will not be extended but delays will be discussed with affected organisations/individuals.
The above considerations cannot be exhaustive; COVID-19 is continually evolving. Remember to continue consulting the UK Government and ICO websites and if you have any queries in relation to the contents of this briefing, please do not hesitate to contact our team.