As our Island reconnects and employees begin to return to the workplace, we have compiled some key privacy considerations for employers. This article covers the following:
Have employees returned all removable devices to the office? Have any asset logs been updated accordingly?
You need to consider the following points:
Have you been collecting employee’s health data relating to Covid-19 such as whether the employee is suffering symptoms of Covid-19 or if they have been diagnosed as having the virus?
Health data due to its sensitivity has the protected status of 'special category data' under data protection law. Employers must carefully consider the basis for processing this data.
You need to consider the following points:
Remember… ONLY collect the health data you need and be clear about why you need it.
Collect only the information really necessary to assess potential risks. The collection of data on health conditions, movements and contacts of all the employees through tests, thermometers, questionnaires and apps can be in breach of the data minimisation principle if not correctly set to collect only relevant information. Do not collect more than you need for your purposes; what is the minimum information you need to know in order to assess the relevant risk?
Have you updated your staff handbook/procedures to reflect how you handle Covid-19 health data?
Covid-19 health data should be treated with the same considerations as any other health data you collect of your employees. It needs to be kept securely and only shared with those who need to see it for a particular purpose. Your staff handbook and internal processes may need to be updated to reflect the way you want to use Covid-19 health data.
If data related to individuals infected by Covid-19 or at risk of infection is communicated to individuals that are not authorised/have no need to know that information, there are potential risks of discrimination and damage for the relevant individual. Information should be shared on a ‘need to know’ basis.
A procedure should outline the people to which the information on the infection (or the potential infection) should be communicated. For example, even a minor alteration of the record of the body temperature of an employee being visible to other employees could cause embarrassment. The collection of data should occur in a manner able to protect employee confidentiality and in the least intrusive way possible.
Can I collect data about whether my employees are vaccinated against COVID-19?
An employer must be very clear about what they are trying to achieve and how recording staff vaccination status will help achieve this. Whether an individual has been vaccinated is their private health information and is therefore special category data. The use of this data must be fair, necessary and relevant for the specific purpose it is being processed.
You must have a clear and compelling reason for recording an employee’s vaccination status. If you have no specified use or real need for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also bear in mind that accepting the offer of a vaccine is a personal decision, which could be influenced by a number of factors.
Data protection is only one of many factors to consider when asking employees whether they have received the COVID-19 vaccine. You should take into account:
Consideration should also be given to other regulations in your industry and the latest government guidance for your sector.
The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to ask and/or record whether your staff have had the COVID-19 vaccine. For example, if your employees:
This may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.
The collection of this type of information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information may have a negative consequence for an employee, you must be able to justify its collection and how you use it. When considering fairness, you should also remember that the vaccine is being offered to people at different times (e.g. elderly or those with pre-existing conditions first) and some people may not yet have been offered a vaccination/it may be some time before they receive it.
If the use of this personal information is likely to result in a high risk to individuals (e.g. denial of employment opportunities) then you need to complete a data protection impact assessment. (You may also need to take specific employment advice.)
When your staff return to work, you may want to carry out tests to check if they have symptoms of Covid-19 or the virus itself. Do you need to consider the Data Protection (Jersey) Law 2018?
Yes. If you process information that allows an individual to be identified (either directly or indirectly) you need to comply with the Data Protection (Jersey) Law 2018. That means handling that information lawfully, fairly and transparently. Personal data that relates to health is more sensitive and is classed as 'special category data' so it must be even more carefully protected.
Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency but it does require you to be responsible with people’s personal data and ensure it is handled with care. Make sure that you understand your lawful basis before you start any processing activity and that you have processes and procedures in place to keep any information safe and secure.
Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?
You should keep staff informed about potential or confirmed Covid-19 cases amongst their colleagues. However, you should avoid naming individuals and you should not provide more information than is necessary. As an employer, it is your duty to ensure the health and safety of all your employees but this must be balanced against the expectations of privacy someone suffering from Covid-19 will have.
Data protection does not prevent you from sharing this information where it is appropriate to do so, and the law should not be viewed as a barrier to sharing data with authorities for public health purposes, or the police where necessary and proportionate. There are many routes available to share data, using some of the conditions and exemptions in the Data Protection (Jersey) Law 2018. You also need to take into account the risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach. If it was you suffering from Covid-19 who would you expect that information to be shared with and why? How much information would you expect to be shared?
Have you been sharing employee pay data with the government as part of the Co-Funding Payroll Scheme?
This should only be what is required, it should be sent securely, and employees advised. Records should be maintained of exactly what information is shared and why.