London +44 20 7184 7545
In this OnPoint we report on the six “data protection steps” that the Information Commissioner’s Office (“ICO”) has set out in its recently issued guidance for employers to consider in relation to the use of the personal information of employees and others as lockdown restrictions start to ease and businesses begin to reopen.
Recognising the challenges presented by the COVID-19 pandemic and the need for organisations to share information quickly and to adapt the ways in which they work, the ICO recently issued guidance in relation to the collection of additional personal information as part of the process of providing a safe environment for staff. This guidance is intended to help organisations comply with the principles of transparency, fairness and proportionality which apply under data protection legislation to ensure that, as the Information Commissioner put it, “….people’s data is handled with care as we all continue our journey back to normality.”
Six data protection steps
The six key data protection steps set out in the ICO’s guidance are as follows:
And more on testing….
We have reported previously on the ICO’s detailed guidance on workplace testing. Some useful points to note from the ICO’s Q&A on testing and associated issues are as follows.
Testing and information collection
When considering the intrusiveness of potential testing arrangements, organisations should consider whether:
Employers will need to consider how any testing measures being considered will achieve the intended purpose of keeping the workplace safe and how effective these measures are at providing accurate results. The latest Government advice about what tests are considered to be the most effective and reliable indicators that an employee may have contracted COVID-19 will need to be considered.
Mandatory checking or testing for COVID-19 symptoms
The ICO guidance reminds organisations that making testing mandatory is not simply a question of data protection and that employment law, equality issues and health and safety aspects need also to be considered as well as the current Government guidance for the sector in question. If checks and tests are to be made mandatory, employers must carefully consider whether the use of the data gathered as a result is fair and proportionate – and whether using a voluntary approach could achieve the same or similar results. Employers are reminded of the need for a data protection impact assessment before such measures are put in place.
Regularity of testing and checking for symptoms
The ICO guidance makes clear that any checking or testing of staff and subsequent processing of their health information should be reasonable and proportionate to the specific circumstances including the individual’s role. The appropriate timescale between tests will depend on the circumstances and may be required more often in sectors such as health and social care where interactions with vulnerable individuals are common.
As individuals’ health status may change over time, and employers’ decisions need to be taken on the basis of accurate information, the accuracy of any records held by an organisation should be ensured by recording the date of the result where appropriate.
Employer-provided testing services
An organisation providing testing for its employees must process personal information lawfully, fairly and transparently and therefore must, before carrying out any tests, inform staff what personal information is required, what it will be used for, with whom it will be shared and for how long it will be retained. The ICO suggests that it would also be helpful for employers to provide the opportunity for employees to discuss the collection of their data with the employer if they have any concerns. Employees should also be informed about their data rights such as the right of access.
Disclosure by employees of their own test results
Employers should ensure the confidentiality and security of any information staff provide voluntarily to them in relation to tests they may have undergone outside work. This information should only be used as necessary and irrelevant or excessive data should not be collected or shared.
Lists of employees with symptoms or who have been tested as positive
Employers can maintain lists of those employees with symptoms and who have been tested as positive provided they comply with the applicable data protection principles. Accordingly, employers need to ensure the use of the data is actually necessary and relevant for their stated purpose and that the data processing is secure as well as taking into account any duty of confidentiality owed to employees. Employers must also ensure that any such lists do not result in any unfair or harmful treatment of employees, for example by the recording of inaccurate information or failing to acknowledge that an individual’s circumstances may change over time.
Sharing the fact that someone has tested positive with other employees
The ICO guidance indicates that employers should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, they should avoid naming individuals if possible and should not provide more information than is necessary.
Using CCTV or other forms of surveillance to monitor employee compliance with health and safety measures
Surveillance needs to be necessary, justified and proportionate. An employer considering its use, whether by way of CCTV or otherwise, should make an assessment of its necessity and proportionality, how the technology will assist the employer in achieving its objectives and whether changes are needed to its policies and procedure. All of these considerations form part of the requisite risk assessment. As employees may not always expect to be monitored via video surveillance systems in their day-to-day roles, employers should consider if there are any less privacy-intrusive ways to achieve the same result. The employer should consider the benefits of the method of monitoring under consideration and any alternative method of monitoring and should weigh these benefits against any adverse impacts on staff.
If surveillance systems are used, the employer should tell staff clearly what is being done and why – and any notices issued to them should clearly inform employees about the nature and extent of surveillance and its purpose(s). The ICO recommends telling staff what has changed from the employer’s normal policies. There should be regular reviews of any surveillance used to ensure they are still achieving its intended purposes.
Using CCTV footage to monitor who an individual has been in contact with if they are subsequently diagnosed with COVID-19 or suffer symptoms
The ICO recognises that CCTV footage could assist with contact tracing therefore with enabling others to self-isolate. Employers should assess whether this is necessary in the specific circumstances and consider speaking to the individuals who would be affected about the use of CCTV and to provide advice on appropriate measures such as self-isolation. The concern here is that analysis of CCTV footage could reveal sensitive aspects of an individual’s behaviours and relationships. Employees have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.
Separately the ICO has also issued guidance on homeworking which reminds employers of data protection and related issues to bear in mind as home working arrangements continue to be operated.
This ICO guidance serves as a timely reminder of the need to consider data protection principles in relation to employers’ arrangements for return to the workplace and ongoing health and safety monitoring, notwithstanding the ICO’s previous statements about its pragmatic approach to data protection enforcement reflecting the impact of COVID-19. Employers’ planning for the return to the workplace for staff following lockdown and their management of the ongoing health and safety issues presented by COVID-19 need to take proper account of these data protection considerations and the action required to ensure compliance.