The global coronavirus pandemic has impacted us all, from governments taking measures to contain the spread and resurgence of the disease among their populations, to employers trying to keep their business operating, while protecting employees.
In the days following the outbreak and during the second wave, employers were and are faced with the problem of identifying, managing and containing the spread of COVID-19 in the workplace as means of discharging their general duty to provide a safe and secure working environment. Action taken by employers to protect employees have in most cases involved a combination of general measures, such as instructions to self-isolate and implementation of home working arrangements, to more targeted steps such as testing and enquiries among staff regarding symptoms or travel history to detect sources of possible infection. With many of us still in lockdown and working remotely, and businesses being required to close again in response to increases in infection rates, employers are continuing to assess risks to their operations and employees while also looking to the future steps to take so as to re-open workplaces safely.
Employee privacy tends to be an unfortunate casualty in a crisis, with business continuity, security and employee safety often prevailing above employees’ data protection rights. For many employers responding to the Covid-19 outbreak across multiple jurisdictions, a tailored response on a country-by-country basis would involve the use of resources – whether time, finances or people – that would arguably best be deployed elsewhere. Employers are nevertheless cognisant of their compliance obligations, particularly those relating to data protection, and many have looked at local requirements when developing measures in response to the outbreak. The statement from the European Data Protection Board ("EDPB") – that data protection rules do not hinder measures taken in the fight against the Covid-19 – offered very little solace to European employers seeking guidance on how practically to comply with their data protection obligations across the EU. Likewise, guidance from national data protection authorities has rarely been consistent and has consequently left employers with no choice but to track requirements at a national level.
In the UK, the Information Commissioner's Office ("ICO") has created a data protection and coronavirus information hub which is updated periodically with new guidance and advice. The ICO also maintains guidance on its stance regarding regulatory enforcement during the pandemic, in which it recognised that the pandemic requires it to reassess its priorities and its resourcing, and therefore to take an "empathetic and pragmatic approach" to regulation The ICO originally stated that it would take into account the impact of the crisis when handling complaints it received from individuals about organisations, meaning it would seek to resolve the complaint without contacting the organisation or would provide the organisation longer than usual to respond. Employers were still advised then – as they are now – not to take this guidance as a 'get out of jail free' card. The most recent update to this guidance identifies that the ICO will monitor evolving situations specific to the employer, particularly in light that many businesses are adapting the ways they work.
Navigating the guidance from data protection authorities
National data protection authorities, including the ICO, have unvaryingly stated that data protection rules should not prevent an employer from taking measures to protect employees. More confusingly for employers, the same guidance may explicitly state what measures cannot be taken because of data protection law. The understandable difficulty for many data protection authorities is in providing guidance that appropriately balances the employer’s duty of health and safety against the privacy of employees.
Where cases of COVID-19 are suspected or confirmed, most countries permit the employers to record such cases (Australia, Belgium, China, Denmark, Germany, Hong Kong, Hungary, Singapore, Slovakia, Spain, Sweden, UAE, UK), whereas a minority impose restrictions or conditions on such recording (Czech Republic, Finland, France, Italy). Only two countries (Netherlands and Poland) restrict the recording of identified cases; however, in the case of Poland public health authorities may require employers to maintain records on a case-by-case basis.
Notifying other members of staff about suspected or confirmed cases also varies across countries. Some countries permit notifying members of staff about cases, albeit without necessarily revealing the identity of infected staff members unless absolutely necessary (China, Czech Republic, Denmark, Finland, Hungary, Poland, Singapore, Spain, Sweden, UAE, UK), whereas others may consider this only possible in limited circumstances (Australia, Belgium, France, Germany, Hong Kong, Slovakia). Two countries (Italy and Netherlands) do not permit employers to notify staff and instead indicate that public health authorities alone should make such notifications.
Processing employee data in response to COVID-19: a recap on the law
Employers will inevitably process the personal data of their employees when adopting measures to detect, contain or mitigate the spread of Covid-19.
Available lawful bases under GDPR and UK data protection law
In Europe, employers will generally rely on Article 6(1)(c) of the General Data Protection Regulation (“GDPR”) – compliance with a legal obligation – when processing personal data of employees, workers or visitors for health and safety purposes. However, most personal data processed directly in response to Covid-19 is often special category data, namely health data. As such, employers must always consider the appropriate technical and organisational measures to protect this type of data, such as implementing appropriate security and access controls to systems containing health-related information. This is especially important given that HR team members may also be working remotely and may be accessing data outside of usual HR systems or access points. Where employers process health data, they will largely rely on the conditions in Article 9(2)(b) of the GDPR – processing necessary to comply with employment law obligations, such as health and safety laws and laws recently enacted by governments in response to the Covid-19 outbreak – and Article 9(2)(i) of the GDPR – processing for reasons of public interest in the area of public health. In matters of life or death, employers can rely on Articles 6(1)(d) and 9(2)(c) of the GDPR to protect the vital interests of their employees.
The GDPR applies in the UK during the transition period by virtue of section 3 of the European Union (Withdrawal) Act 2019. The Data Protection Act 2018 ("DPA") supplements the GDPR in UK and sets out the relevant conditions set out above in Schedule 1 to the DPA. Paragraph 1 of Schedule 1 corresponds to Article 9(2)(b) of the GDPR and the UK GDPR – compliance with employment law obligations – but provides an additional accountability requirement for an employer to have an appropriate policy document in place (as described further at paragraph 39 of Schedule 1), as well as an extended record of processing. In summary, an appropriate policy document is a document that includes and explanation of:
The appropriate policy document must be reviewed from time to time and retained during the course of the processing activity, as well as for six months after such activities have ended. It must also be made available to the ICO on request and without charge.
Paragraph 3 of Schedule 1 corresponds to Article 9(2)(i) of the GDPR and the UK GDPR – processing for reasons of public interest in the area of public health. This condition does not require the employer to put into place an appropriate policy document.
Data protection principles
The existence of a lawful basis or conditions under GDPR and UK data protection law does not mean that employers processing employee personal data – especially health data – specifically in response to Covid-19 will be compliant. Employers must bear in mind the data protection principles that must be followed.
Among these, employers must consider whether the processing of personal data is indeed necessary and, if so, that such personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’) and are adequate, relevant and limited to what is necessary for those purposes (‘data minimisation’). Employers should also consider appropriate retention periods for personal data collected and processed as part of the measures taken to combat Covid-19 (‘storage limitation’).
Ultimately, employers must consider whether the processing of employee personal data is necessary and proportionate to identified purposes and must be able to demonstrate compliance with the data protection principles (‘accountability’). As the ICO notes in its guide to the GDPR, 'necessary' does not mean that the processing has to be absolutely essential but must be more than just useful or standard practice: "It must be a targeted and proportionate way of achieving a specific purpose."
Concluding thoughts
Whilst the approach of both national / local governing bodies and of data protection authorities may have developed as the pandemic has progressed, the underlying principles and the country-by-country (or region-by-region) approach that we saw at the start of the pandemic remain in place. With a resurgence of Covid-19 in many areas and increasingly varied public health strategies, employers will need to continue to take a localised approach to employee privacy requirements as well as the wider implications of the pandemic, and to keep an eye on developments.