What Does COVID-19 Mean for Data Protection

March 18, 2020

​The COVID-19 pandemic is changing how we all live and work in an unprecedented way. When it comes to work, many of us (not least the SLHQ flock) will be working from home. Of course, homeworking is nothing new – but when all or a majority of your workforce are homeworking, this is a different kettle of fish and, as a business, the anxiety of losing control over your workforce is completely understandable.

From asking staff about their health and wellbeing to how to comply with subject access requests, we’ve had a few clients ask questions about what COVID-19 means when it comes to complying with their data protection obligations.

In this blog we tackle the following questions...

  • Can you ask staff how they are feeling?
  • Do you need consent to collect health data about staff?
  • Do you need to provide any notices to staff?
  • What is an ‘appropriate policy document’ and do you need one?
  • Can you tell other staff members if a colleague contracts COVID-19?
  • Are there any data protection risks of homeworking?
  • Can you monitor what staff are doing with their time?
  • How do you handle data protection rights at a time like this?
  • How can Stephenson Law help?

Can you ask staff how they are feeling?

Of course you can! COVID-19 symptoms aside, home working can be solitary, and it seems likely that this will be the norm for some time. It’s really important to check in with your staff (we have the technology!), to maintain that sense of togetherness and to detect whether their mental health is being affected. There’s some great guidance from Mind on this.

But data protection draws a line. The principle of data minimisation means that you can’t ask for more personal data than you need. In reality, your staff are going to tell you if they’re feeling iffy or you’re going to pick this up through communicating with them. Asking staff to regularly complete health questionnaires and report their vital signs? Depending on the nature of your business, that’s probably a step too far and you won’t get way with this “because COVID-19”.

Do you need consent to collect health data about staff?

No. There are issues with consent in an employment context anyhow – the general rule being that consent is likely to be invalid given the imbalance in the employer-employee relationship.

However when it comes to health data (which falls within the definition of “special categories of personal data” under the GDPR), you need to have a lawful basis for collecting it (called an ‘Article 6 ground’) and you need to satisfy a further condition (called an ‘Article 9 condition’).

In terms of Article 6 grounds, the most relevant is where the processing is necessary to comply with a legal obligation (Article 6(1)(c). Employers owe a duty of care towards staff when it comes to their health and safety, including under the Health and Safety at Work etc. Act 1974, which establishes the general duty of care, and the Management of Health and Safety at Work Regulations 1999, which, among other things, requires employers to assess risks on an ongoing basis and implement effective health and safety measures to protect staff.

In terms of Article 9 conditions, the most relevant is where the processing is necessary to carry out obligations and exercising rights (of both the employer and staff) in an employment context. This overlaps with Article 6 ground described above, but you may also need confirm whether a member of staff has COVID-19 when it comes to paying statutory or enhanced sick pay (though the Government’s guidance is that employers should use their discretion around the need for medical evidence to reduce the burden on GPs).

In life and death situations, you may need to rely on the vital interest ground and condition.

Again, the key word is ‘necessary’ – don’t ask for more personal data than you really need.

Do you need to provide any notices to staff?

Your staff ‘fair processing’ or ‘privacy’ notices should already contain information about the need to collect health data in certain circumstances and the legal grounds and conditions relied upon you for doing so. If they don’t, then now would be a good time to update them and share them with staff. If they do, a reminder never hurts.

What is an ‘appropriate policy document’ and do you need one?

The Data Protection Act 2018 requires employers to have an ‘appropriate policy document’ in relation to handling special categories of personal data, including health data. This document must:

- explain your procedures for ensuring compliance with the key principles of data protection law in respect of such data-
- explain how long you’re likely to retain such data and your procedures regarding the retention and deletion of that such data

This document must be kept and reviewed from the time when you start processing health data until the end of a period of six months from when such processing ceases.

If the GDPR requires you to maintain ‘records of processing activities’ under Article 30 of the GDPR, or you’ve decided to maintain them anyway, you must update these records to identify which Article 6 ground and Article 9 condition you’re relying upon when processing health data for a specific purposes and whether such data will be retained and deleted in line with your appropriate policy document or, if not, why not.

For an example of such document, take a look at the ICO’s appropriate policy document.

Can you tell other staff members if a colleague contracts COVID-19?

Word is likely to spread quickly anyway, particularly in smaller organisations, but as an employer, you have a duty to keep any information about any staff member’s health status confidential. This doesn’t mean that if you still have staff in the office, you shouldn’t warn them that a colleague has contracted COVID-19, but you don’t really need to name them.

Are there any data protection risks of homeworking?

Any change in circumstances which requires people to work in a different way is likely to heighten data protections risks. Data protection law requires you to implement appropriate technical and organisational measures to ensure the security of personal data, which includes the confidentiality, integrity and availability of such data. In terms of what is ‘appropriate’, this depends on the nature, scope, context and purposes of the processing of personal data by you.

The key risks when it comes to homeworking include:

- Security of access to/from systems – staff should be given advice on how to ensure that their home network is secure for one thing. But you also need to ensure that access to/from your systems is also secure, whether through reviewing the security of cloud-hosted systems or connections to corporate networks via VPNs (see NCSC guidance on homeworking and technical guidance from Microsoft regarding Office 365)

- Cybersecurity threats – there are folks (in dark rooms wearing hoodies, obviously), who will seek to capitalise on the opportunity presented by the vulnerability of staff working from home on poorly secured devices and leveraging the increased volume of emails flying around about COVID-19 to perpetrate fraud and phishing scams. Make sure your staff are aware of how to spot these risks so that they can avoid them. There’s some great advice from the NCSC on how to protect your business from these threats and free training materials too

- Use of personal devices – not every business is able to provide staff with a computer or mobile device to work from home, which means the use of personal devices. This presents some clear risks, from those devices being used by other household members (the answer is ensuring that homeworkers have separate accounts and the password isn’t shared) to the risks of malware and viruses (staff should be provided with virus protection software if they don’t have it already) and staff storing personal data relating to individuals in the memory of those devices or personal cloud storage accounts (which should be a no-no). There’s some helpful guidance from the ICO and the NCSC about this

- Confidentiality – most organisations are paperless/paper-less these days, but there’s still the possibility that staff will take hard copy documents home or print them off. You should urge staff to keep any hard copy documents locked away and bring them back to the office for secure shredding when safe for them to return

Can you monitor what staff are doing with their time?

This is a tricky one. Some organisations may feel like they have been forced into trusting their staff to work diligently from home. Putting trust to one side, it’s clear that no two people are the same and while some staff members will thrive from working at home, others may struggle and be less productive.

Data protection law doesn’t prevent employee monitoring per se. However, any kind of monitoring must be necessary and proportionate. A European court case from 2017 (Bărbulescu) set out six criteria that should be considered when making this assessment:

- Whether staff were notified that monitoring might take place-
- The extent of the monitoring and degree of intrusion
- Whether legitimate reasons to justify monitoring were provided to staff
- Whether monitoring could have been undertaken using less intrusive means
- The use made by the employer and consequences of the monitoring for staff concerned
- Whether staff were provided with adequate safeguards

In practice, employers will need to rely on the Article 6 ground of ‘legitimate interests’ when proposing to monitor staff use of IT systems (which may not, in itself, provide an accurate picture of what a staff member is doing anyway). This would require a documented ‘legitimate interest assessment’ or ‘LIA’ to be undertaken.

In any case, you must be transparent with your staff about any monitoring, which may mean updating your policies and staff ‘fair processing’ or ‘privacy’ notices.

How do you handle data protection rights at a time like this?

There is no get-out-of-jail-free card when it comes to complying with the time limits for responding to requests from individuals to exercise their rights under data protection law. However some organisations, such as those with computer or filing systems that can only be accessed ‘on-prem’, may be able to justify an extension to the one month timescale for responding to requests due to the organisational challenges posted by COVID-19 (by up to a further two months).

The ICO has confirmed that it will not penalise organisations that “need to prioritise other areas” during this time, but you should be doing everything you can to ensure that standards don’t slip and be prepared to defend yourself in the event that an individual complains about the time taken for you to respond to their requests.

How can Stephenson Law help?

Some of the ways we can help include:

- Supporting Data Protection Officers and those responsible for handling data protection in your organisation with managing compliance, including updating records of processing activities (ROPAs), reviewing legitimate interest assessments (LIAs) and facilitating data protection impact assessments (DPIAs)

- Preparing and updating staff privacy notices and appropriate policy documents

- Preparing and updating policies around BYOD, homeworking, IT and communications

- Producing guidance for your staff on key data protection risks

We’re the experts in getting data on your good side. Find out more about our data protection offering here.

Receive our insights directly to your inbox by signing up to our newsletter

Recommended content