4 Data Protection issues a Business should consider prior to a return to the workplace
As lockdown measures continue to be eased in the UK, there are many areas organisations must consider before reopening. Although many have already considered health, safety and welfare issues that can arise, another area to consider is issues surrounding data protection. Such issues can arise from:
- Collecting employee health data and testing regimes
- Contact tracing visitors and customers
- Using thermal cameras and CCTV surveillance systems
- Data protection enforcement
To help you in your preparations, our Risk Management Team have listed four Data Protection issues that may arise in a return to the workplace:
Collecting Employee Health Data and Testing Regimes
Any data in relation to an employee’s health and/or testing for COVID-19 symptoms should be treated as ‘special category data’ under the General Data Protection Regulation (GDPR) and Data Protection Act 2018. As such, both a lawful basis and a condition for processing must be established. For employers this is most likely to be ‘legitimate interest’ and ‘employment’ respectively. The use of testing needs to be reasonable, fair and proportionate to the circumstances. Such circumstances can include the nature of work undertaken, the premises and whether working from home is a viable alternative. Consideration should be given to whether the approach could be less intrusive, for example by allowing individuals to work from home instead or only collecting information on those in potentially higher risk roles.
Any personal data collected should be limited to what is necessary, kept secure and treated as confidential (including when someone tests positive). Employees should be informed how and why their personal data will be used, the access restrictions in place and for how long the information will be retained.
Contacting Tracing Visitors and Customers
Collecting personal information on visitors and customers falls within the scope of the GDPR and Data Protection Act 2018. Such activity is usually undertaken where the government has requested that organisations do so. Where this is the case, the lawful basis to collect the data is most likely to be ‘legitimate interest’ or ‘public task’ for private and public organisations respectively. In most cases ‘consent’ would not be used as the lawful basis as this implies choice.
Organisations should refer to their own government’s guidance on the sectors required to collate this data and what needs to be recorded, as this can vary between countries. Usually, only basic information, such as contact details and time of arrival and departure need to be recorded.
Any data collected should be kept secure and not used for any other purpose, such as marketing campaigns. The use of open access sign-in books where customer and/or visitor details are visible to everyone should be avoided. Individuals should be informed how and why their personal data will be used, the access restrictions in place and for how long the information will be retained. Information should only be shared when it is requested by a legitimate public health authority.
Thermal Cameras and CCTV Surveillance Systems
Thermal cameras can potentially be used as part of the testing and monitoring regime for employees. CCTV systems can also be used to assist in contact tracing and monitoring whether employees are complying with COVID-19 safety measures. If your organisation is considering this approach, it should ensure that it is necessary, proportionate, in keeping with employees’ reasonable expectations and that the same level of control cannot be achieved by less privacy intrusive means. A template data protection impact assessment for surveillance systems is available here.
Where such systems are in use, employees should be informed how and why their personal data will be used, the access restrictions in place and for how long the information will be retained.
Data Protection Enforcement
The Information Commissioner’s Office (ICO) has publicly recognised that during the pandemic, organisations may struggle to maintain their usual high standard of data protection, in particular in relation to information rights requests.
They have stated:
‘We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period. We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.’
Detailed information on the ICO’s regulatory approach during the pandemic is available here.
Additional guidance covering data protection risks is available via RMworks, Griffiths & Armour’s online risk management portal that is available to all clients. Further information on RMworks is available here.
We are always interested to hear your views so if you have any questions or comments on this article, please get in touch with your dedicated insurance broker at Griffiths & Armour or alternatively, contact Greg Street below: