Q: Can I tell my staff that a colleague may have potentially contracted COVID-19?
A: You should keep staff informed about cases in your organisation. However, you probably do not need to name individuals who have been affected and you should not provide more information than necessary. Whilst you have an obligation to ensure the health and safety of your employees, as well as a duty of care do remember that you also owe a duty of confidentiality to any employee suffering from COVID-19. Data protection legislation does not prevent you telling your staff that a colleague has contracted COVID-19 but you will need to carefully assess exactly how much information you need to disseminate and be able to justify why you have chosen to divulge that information.
Q: Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference or an event?
A: You have an obligation to protect your employees’ health but that does not necessarily mean you need to gather lots of information about them. It is reasonable to ask people to tell you if they have visited a particular country or are experiencing COVID-19 symptoms. You could ask visitors to consider Government advice before they decide to come. You could also advise staff to call the Jersey Coronavirus helpline on 01534 445566 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect. If that is not enough and you still need to collect specific health data, do not collect more than you need and ensure that any information collected is treated with the appropriate safeguards.
Q: Can I share employees’ health information to authorities for public health purposes?
A: Yes. It is unlikely your organisation will have to share information with authorities about specific individuals but if it is necessary then there are provisions in the data protection law which will enable you to do so.
Q: I have had to let go some members of staff because I do not have the work for them. What do I need to think about in terms of their access to my organisation's data?
A: It is your responsibility to make sure that the only people have access to personal data within your organisation are those who need it. Ex employees should have no reason to hold on to personal data once they have left your employment and so you need to make sure that they do not have access to your systems/premises or any information they should not have. If your member of staff had remote access to your systems you need to make sure that you have disabled their access. If they had access to your physical premises, have you disabled any access that was granted by way of fob/pin code? If they had a key have they returned it to you? If you provided that member of staff with a phone/laptop or other piece of hardware has it been returned to you or, if you are happy for them to keep it, are you confident that there isn't any of your organisation's data on it? If they downloaded emails onto that device are you satisfied that they have deleted that information? Do you have the ability to remotely erase those devices? Are you satisfied that your staff member does not have any hard copies of your information? If they do, are you able to arrange for that information to be safely returned to you so that you can destroy it securely?