Returning to Work - Privacy Considerations

As employees begin to return to work during the Covid-19 response, we have compiled some key privacy considerations for employers.

Have you been collecting additional information regarding an employee’s health, such as whether the employee is suffering symptoms of Covid-19 or if they have been diagnosed as having the virus?

Health data due to its sensitivity has the protected status of 'special category data' under data protection law. Employers must carefully consider the basis for processing this data.

You need to consider the following points:

  • Where has this additional data been stored?
  • What did you collect this information for?
  • Do you still need this additional data? If so, for how long?
  • If you need the information for statistical purposes, can you anonymise it?

Remember… Collect only the information really necessary to assess potential risks. The collection of data on health conditions, movements and contacts of all the employees through tests, thermometers, questionnaires and apps can be in breach of the data minimisation principle if not correctly set to collect only relevant information. Do not collect more than you need for your purposes; what is the minimum information you need to know in order to assess the relevant risk?

Do you have in place a procedure for the handling of Covid-19 data?

If data related to individuals infected by Covid-19 or at risk of infection is communicated to individuals that are not authorised/have no need to know that information, there are potential risks of discrimination and damage for the relevant individual. Information should be shared on a ‘need to know’ basis.

A procedure should outline the people to which the information on the infection (or the potential infection) should be communicated. For example, even a minor alteration of the record of the body temperature of an employee being visible to other employees could cause embarrassment. The collection of data should occur in a manner able to protect employee confidentiality and in the least intrusive way possible.

When your staff return to work, do you want to carry out tests to check if they have symptoms of Covid-19 or the virus itself. Do you need to consider the Data Protection (Jersey) Law 2018?

Yes. If you process information that allows an individual to be identified (either directly or indirectly) you need to comply with the Data Protection (Jersey) Law 2018. That means handling that information lawfully, fairly and transparently. Personal data that relates to health is more sensitive and is classed as 'special category data' so it must be even more carefully protected.

Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care. Make sure that you understand your lawful basis before you start any processing activity and that you have processes and procedures in place to keep any information safe and secure.

Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties? 

You should keep staff informed about potential or confirmed Covid-19 cases amongst their colleagues. However, you should avoid naming individuals and you should not provide more information than is necessary.  As an employer, it is your duty to ensure the health and safety of all your employees but this must be balanced against the expectations of privacy someone suffering from Covid-19 will have. 

Data protection does not prevent you from sharing this information where it is appropriate to do so, and the law should not be viewed as a barrier to sharing data with authorities for public health purposes, or the police where necessary and proportionate. There are many routes available to share data, using some of the conditions and exemptions in the Data Protection (Jersey) Law 2018. You also need to take into account the risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach. If it was you suffering from Covid-19 who would you expect that information to be shared with and why? How much information would you expect to be shared?

Have you been sharing employee pay data with the government as part of the Co-Funding Payroll Scheme?

This should only be what’s required, it should be sent securely, and employees advised. Records should be maintained of exactly what information is shared.

Have employees returned all removable devices to the office? Have any asset logs been updated accordingly?

You need to consider the following points:

  • Have you verified that all hard copy files have been returned and logged back into the office?
  • Have any members of your team processed personal information of staff or customers on their own devices? - What is your procedure for capturing the relevant information and deleting the rest?

If you need further guidance please contact the JOIC team at enquiries@jerseyoic.org or call 01534 716530.

JOIC Blogs