COVID-19 Coronavirus Business Impact – Coronavirus recovery – six data protection steps from the ICO
In this OnPoint we report on the six “data protection steps” that the Information Commissioner’s Office (“ICO”) has set out in its recently issued guidance for employers to consider in relation to the use of the personal information of employees and others as lockdown restrictions start to ease and businesses begin to reopen.
Recognising the challenges presented by the COVID-19 pandemic and the need for organisations to share information quickly and to adapt the ways in which they work, the ICO recently issued guidance in relation to the collection of additional personal information as part of the process of providing a safe environment for staff. This guidance is intended to help organisations comply with the principles of transparency, fairness and proportionality which apply under data protection legislation to ensure that, as the Information Commissioner put it, “….people’s data is handled with care as we all continue our journey back to normality.”
Six data protection steps
The six key data protection steps set out in the ICO’s guidance are as follows:
- Only collect and use what’s necessary – organisations should consider how collecting extra personal information will help keep their workplace safe, whether they really need the information, whether any testing being considered will actually help to provide a safe environment and whether the same result could be achieved without collecting personal information.
- Keep it to a minimum – when collecting personal information, including information concerning COVID-19 symptoms or any related test results, organisations should collect only the information needed to implement their measures appropriately and effectively. Organisations should not collect personal data that they do not need – some information only needs to be held momentarily with no need for a permanent record.
- Be clear, open and honest with staff about their data – organisations should be clear as how and why they wish to use individuals’ personal information, including what the implications for them will be. They should also let employees know with whom they will share their information and for how long they intend to keep it. Privacy notices should be updated as soon as reasonably practicable.
- Treat people fairly – employers should ensure that decisions about staff based on health information they collect are fair and do not entail unlawful discrimination.
- Keep people’s information secure – any personal data held must be kept securely and only held for as long as is necessary. It is good practice to have a retention policy in place that sets out when and how personal information needs to be reviewed, deleted or anonymised.
- Enable staff to exercise their information rights – the ICO expects organisations to inform their employees about their personal data rights such as the right of access and to rectification.
And more on testing….
Testing and information collection
When considering the intrusiveness of potential testing arrangements, organisations should consider whether:
- Collection of health information can be confined to the highest risk roles.
- Access to health information can be limited so that it will only be seen by medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility.
- There are reasonable alternative measures which do not rely on personal information, such as strict social distancing or working from home.
Employers will need to consider how any testing measures being considered will achieve the intended purpose of keeping the workplace safe and how effective these measures are at providing accurate results. The latest Government advice about what tests are considered to be the most effective and reliable indicators that an employee may have contracted COVID-19 will need to be considered.
Mandatory checking or testing for COVID-19 symptoms
The ICO guidance reminds organisations that making testing mandatory is not simply a question of data protection and that employment law, equality issues and health and safety aspects need also to be considered as well as the current Government guidance for the sector in question. If checks and tests are to be made mandatory, employers must carefully consider whether the use of the data gathered as a result is fair and proportionate – and whether using a voluntary approach could achieve the same or similar results. Employers are reminded of the need for a data protection impact assessment before such measures are put in place.
Regularity of testing and checking for symptoms
The ICO guidance makes clear that any checking or testing of staff and subsequent processing of their health information should be reasonable and proportionate to the specific circumstances including the individual’s role. The appropriate timescale between tests will depend on the circumstances and may be required more often in sectors such as health and social care where interactions with vulnerable individuals are common.
As individuals’ health status may change over time, and employers’ decisions need to be taken on the basis of accurate information, the accuracy of any records held by an organisation should be ensured by recording the date of the result where appropriate.
Employer-provided testing services
An organisation providing testing for its employees must process personal information lawfully, fairly and transparently and therefore must, before carrying out any tests, inform staff what personal information is required, what it will be used for, with whom it will be shared and for how long it will be retained. The ICO suggests that it would also be helpful for employers to provide the opportunity for employees to discuss the collection of their data with the employer if they have any concerns. Employees should also be informed about their data rights such as the right of access.
Disclosure by employees of their own test results
Employers should ensure the confidentiality and security of any information staff provide voluntarily to them in relation to tests they may have undergone outside work. This information should only be used as necessary and irrelevant or excessive data should not be collected or shared.
Lists of employees with symptoms or who have been tested as positive
Employers can maintain lists of those employees with symptoms and who have been tested as positive provided they comply with the applicable data protection principles. Accordingly, employers need to ensure the use of the data is actually necessary and relevant for their stated purpose and that the data processing is secure as well as taking into account any duty of confidentiality owed to employees. Employers must also ensure that any such lists do not result in any unfair or harmful treatment of employees, for example by the recording of inaccurate information or failing to acknowledge that an individual’s circumstances may change over time.
Sharing the fact that someone has tested positive with other employees
The ICO guidance indicates that employers should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, they should avoid naming individuals if possible and should not provide more information than is necessary.
Using CCTV or other forms of surveillance to monitor employee compliance with health and safety measures
Surveillance needs to be necessary, justified and proportionate. An employer considering its use, whether by way of CCTV or otherwise, should make an assessment of its necessity and proportionality, how the technology will assist the employer in achieving its objectives and whether changes are needed to its policies and procedure. All of these considerations form part of the requisite risk assessment. As employees may not always expect to be monitored via video surveillance systems in their day-to-day roles, employers should consider if there are any less privacy-intrusive ways to achieve the same result. The employer should consider the benefits of the method of monitoring under consideration and any alternative method of monitoring and should weigh these benefits against any adverse impacts on staff.
If surveillance systems are used, the employer should tell staff clearly what is being done and why – and any notices issued to them should clearly inform employees about the nature and extent of surveillance and its purpose(s). The ICO recommends telling staff what has changed from the employer’s normal policies. There should be regular reviews of any surveillance used to ensure they are still achieving its intended purposes.
Using CCTV footage to monitor who an individual has been in contact with if they are subsequently diagnosed with COVID-19 or suffer symptoms
The ICO recognises that CCTV footage could assist with contact tracing therefore with enabling others to self-isolate. Employers should assess whether this is necessary in the specific circumstances and consider speaking to the individuals who would be affected about the use of CCTV and to provide advice on appropriate measures such as self-isolation. The concern here is that analysis of CCTV footage could reveal sensitive aspects of an individual’s behaviours and relationships. Employees have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.
Separately the ICO has also issued guidance on homeworking which reminds employers of data protection and related issues to bear in mind as home working arrangements continue to be operated.
This ICO guidance serves as a timely reminder of the need to consider data protection principles in relation to employers’ arrangements for return to the workplace and ongoing health and safety monitoring, notwithstanding the ICO’s previous statements about its pragmatic approach to data protection enforcement reflecting the impact of COVID-19. Employers’ planning for the return to the workplace for staff following lockdown and their management of the ongoing health and safety issues presented by COVID-19 need to take proper account of these data protection considerations and the action required to ensure compliance.