With the Coronavirus (COVID-19) both posing and being declared by the UK Government and World Health Organisation (WHO) as a ‘serious risk to public health’, it is likely that employers will be feeling the need to record additional information about their staff such as, travel, contacts with others, meetings attended and whom was present, any illness or self-isolation, etc.
Record-keeping will prove vital in being to quickly trace contacts and stop the spread of COVID-19 however, such personal data may be classed as ‘special category’ data and should not be processed (recorded, stored, transmitted, etc.) by the employer without a clear and lawful purpose.
Under current data protection law, including Regulation (EU) 2016/679 (GDPR) and the UK Data Protection Act 2018 c.12 (DPA 2018), it is incumbent on employers as data controllers to limit the amount of personal data they process and to process that personal data for ‘no longer than is necessary’.
As most employers will be reacting to COVID-19 and the issues it presents rather than planning for it or other contagious risks they may, take the “act first, ask later” approach, which they could easily be forgiven for taking and may well be providing they follow-up and review what they are processing at the earliest opportunity. Article 9.2.(b) may provide acceptable grounds for this approach.
Employers will however, need to remember that they must comply with data protection laws when processing personal or special category data to help them and others, get through the current COVID-19 contagion and it will be important that employers put in place measures for processing the personal data of staff as part of their response to the crisis.
Employers also have legal obligations for the health, safety, and welfare of staff and it is therefore, reasonable for employers to process information about their staff in order to facilitate this for them as individual and others and this need to gather information is not in conflict with data protection law providing it is done correctly.
Employers could rely on the fact that ‘processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent’ (Article 9.2(c)) and possibly Article 9.2.(h) (health and social care).
How much personal data is processed and how long for, may be fluid and depend on the nature of the organisation (employer) and the risk to that organisation and its staff.
For data controllers in the UK, it would be good to read this article alongside The Health Protection (Coronavirus) Regulations 2020. There’s some detail within this Regulation that hints at what employers might need to process in order to assist. Regulation 6 is largely about the individual (person (“P”)) and it lays out what they may be compelled to provide:
6.—(1) For the purposes of these Regulations, the screening requirements, in relation to a person (“P”) are requirements to the effect that P must─
(a) answer questions about P’s health or other relevant circumstances (including travel history and information about other individuals with whom P may have had contact);
(b) produce any documents which may assist a registered public health consultant or public health officer in assessing P’s health;
Regulation 5 lays out some of the powers and requirements for public health professionals and in 5.(b) it states:
5.—(1) Where Condition A or B (set out in regulation 4) is met in relation to a person (“P”), the Secretary of State or a registered public health consultant may—
(b) carry out such an assessment in relation to P;
This would suggest that if ‘person (“P”)’ is not able to or willing to provide the information it needs to assess the risk, the public health professional can ‘carry out such an assessment’, which could mean going to the employer to seek the relevant information about the person, probably their health, travel history, recent contacts, etc.
Under Regulation 6 above, there is a requirement for ‘person (“P”)’ to ‘produce any documents which may assist’, and this again could be coming from the employer through the assessment conducted under 5.(b).
The above would suggest that organisations should clearly review their data protection and HR policies and procedures to ensure that the processes required to track, and monitor Coronavirus issues are there, and are operated in a way that is compliant with data protection law. As in the article, planning for data minimisation and limitation are firmly underlined by the current situation.
On limitation, as with most viruses, this ‘first wave’ of the Coronavirus will likely peak at some point soon, and then we may later, as there is no ‘fix’ for this virus yet, see a second or third or… wave. This may affect the decision on how long (retention) the organisation’s records relating to ‘person (“P”)’ are kept. This will be a little like licking your thumb and sticking it in the air to see which way the wind is blowing however, organisations must retain such personal data for ‘no longer than is necessary for the purpose’.
Going off-piste for a moment: Risk considerations for employers include the potential isolation, forced or voluntary, of a team under Regulation 10, and as with some of our clients that operate regular meetings, they have chosen to impose a no face-to-face meeting ban. Meaning that all meetings must take place via Teams or Business Skype or Zoom or other conferencing system. This could add new data processing issues for organisations that have not yet considered this as a ‘process’.
Need to talk about this? Get in touch through our Contact Form.
 BBC News : Coronavirus declared global health emergency by WHO, (https://www.bbc.co.uk/news/world-51318246) [accessed: 11 March 2020