Can we ask employees if they have any COVID-19 symptoms or to notify us if they have been diagnosed?
Yes. ICO states that it would be reasonable to ask people if they are experiencing symptoms.
Data about an employee’s health, including whether or not they are experiencing COVID-19 symptoms, is “special category” personal data as defined in the GDPR.
As well as requiring a lawful basis for processing under Article 6, companies need an additional exemption to process this data under Article 9.
The relevant legal bases are:
- compliance with health and safety obligations under employment law (GDPR Article 9(2)(b); DPA 2018 Sch.1 Para. 1)
- for reasons of public health (GDPR Art.9(2)(i); DPA 2018 Sch.1 para.3)
Consent from personnel is generally not regarded as freely given (and is therefore invalid) due to the apparent imbalance in power between the organisation and the individual; relying on consent as the legal basis for processing is unlikely to be considered compliant with the GDPR.
- Do not collect more data than you need – i.e. limit the collection of health data to information that is relevant to COVID-19
- Ensure collection of this data is in the least intrusive way possible
- Make sure you keep the data safe and secure and limit circulation on a ‘need to know’ basis only
Can we take employee’s temperature readings?
Yes, if strictly necessary. ICO guidance does not prevent collecting and recording employees’ temperatures.
Conducting health screening in an employment context needs to be carefully considered in the circumstances. It is only likely to be appropriate in a very small number of situations (e.g. where such testing is necessary to determine an employee’s fitness to work, particularly when exposed to a risk group).
The available lawful bases are compliance with health and safety obligations under employment law (Article 9(2)(b) GDPR; para.1, Sch.1 DPA 2018) and for reasons of public health (Art.9(2)(i) GDPR; para.3, Sch.1 DPA 2018).
Ensure your privacy notice explains why the employee is being tested, the nature of the testing, how such data is used and the safeguards in place.
Can we ask about symptoms in the employee’s household?
Yes. ICO states that, where necessary, the collection of additional data from employees may be proportionate. However, the data minimisation principle is key – do not collect more information than needed and ensure it is treated with appropriate safeguards. For example, we recommend not to collect information about specific symptoms about each household member.
Can we keep a record of staff who are diagnosed as infected?
Yes. Note that such collection of data would need to comply with data protection principles. In particular, data minimisation and purpose limitation will be important.
Can we notify other members of staff about an infected employee?
Yes. The ICO has advised that informing employees that a colleague may have contracted the virus is permitted by virtue of the employer’s duty of care and to ensure employees’ health and safety.
Such information may, for example, facilitate contact tracing and thereby reduce virus exposure. However, this should be done on an anonymised and need-to-know basis, disclosing the minimum data required. If health data needs to be shared with your other group companies, contractual protections should also be put in place.
Can we notify customers and visitors of an infected employee?
Yes. You can notify your customers if the infected employee has interacted with customers.
It is unlikely that information about specific individuals will need to be disclosed. However, where identification is required, the processing of health-related personal data can be carried out under Art 9(2)(i) GDPR and para.3, Sch.1 DPA 2018, where it is necessary for reasons of public interest in the area of public health.
What documentation do I need to achieve and demonstrate compliance?
You should review your existing privacy notices to ensure that these provide the necessary information regarding the data being collected and the purposes of processing.
The collection of data regarding COVID-19 can be an incredibly sensitive subject. Due to the importance of safety, data must be collected. However, due to the nature of data, this it must be done securely. At Sapphire Consulting, we provide excellent advice and services to ensure that you and your staff are protected when in comes to your data. If you are looking to outsource a DPO, get in touch today.