As government agencies and businesses attempt to deal with the ramifications of Covid-19, the potential impact on privacy rights should not be overlooked. Certain measures that are under consideration to help combat the threat of the Covid-19 virus raise a number of questions about the practical impact of current guidance and efforts to prevent the spread of infection. Clearly, in light of the serious global threat posed by this virus, application of the data protection must be proportionate. We examine the two questions frequently asked questions from our clients:
- Can you ask employees about their travel plans (either before or after a holiday abroad)?
- Can you require employees to undergo a medical examination or submit to tests to check their temperature?
Considering these issues from a UK data protection perspective, the measures in question certainly involve the processing of employees’ personal data. To comply with the GDPR/Data Protection Act 2018 (DPA), the employer (the “controller” under data protection law) would be required to have a lawful basis, under Article 6, to collect and to process such information, before any processing begins. In the case of health data, the conditions set out in Article 9 of the GDPR, as implemented by the DPA would also need to be considered.
Employee consent is difficult to rely on, given the perceived imbalance of power between the parties, therefore, unless the processing becomes truly necessary to protect the “vital interests of the data subject or of another natural person” (usually understood to mean an emergency, “life or death” situation), it seems likely that the most appropriate lawful basis to rely on would be the legitimate interests of the controller or a legal obligation. Legitimate interests require the controller to assess and confirm that it has a strong legitimate interest to carry out the processing of employees’ personal data, which is not overridden by the fundamental rights and freedoms of the data subject.
Dealing with the first question, in relation to travel plans, it may, in ordinary circumstances, be considered an unusual request and an unwarranted intrusion into the individual’s private and family life. However, in the current climate, an employer could have a valid, legitimate interest in asking employees to disclose where they are going on holiday, or have recently been, in light of the very real threat posed by travel to certain jurisdictions currently most affected by COVID-19. The employer has a clear interest in and an obligation to ensure the safety of all staff and visitors where the employee works and must take into account the rights of all data subjects with whom the travelling individual could come into contact.
In this situation, it is likely that the employer’s legitimate interest in requesting the data is not overridden by the individual’s privacy rights; the individual’s rights should, however, be respected to the extent possible. For example, the information collected should be kept confidential and be limited, in line with the data protection principles of data minimisation and purpose limitation, to that which is strictly necessary to safeguard employees and visitors and to combat the threat of the virus. As the virus is rapidly spreading around the world, it is difficult to judge whether any location is safer than another, but areas deemed higher risk, might be grouped accordingly, with employers making decisions based on government advice. Supported by a Legitimate Interest Assessment (‘LIA’), and provided that the information collected is retained for no longer than necessary, the processing of such information for restricted purposes ought to be lawful under data protection law.
Regarding the second question, a medical, or temperature check, would involve processing of health data (special category data). In such cases, Article 9.2 of the GDPR/the Data Protection Act 2018 would need to be satisfied before any processing is carried out. Explicit consent of the individual is one option under this provision, but as noted above, the employer will not be able to rely on consent unless the employee is genuinely free to decide whether to give consent, with no threat of adverse consequences if the employee refuses to do, and the other GDPR conditions for valid consent have been met. If employees’ consent cannot be relied on as a valid condition to process the data, then one or more of the following conditions under Article 9.2 may apply:
- 9.2(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law… This may apply if the employer can assert that it is necessary to take a particular measure in order to comply with its obligation to safeguard employees or others.
- 9.2(g) – processing is necessary for reasons of substantial public interest.
- 9.2(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services subject to the conditions and safeguards referred to in paragraph 3.
- 9.2(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care….
(Art. 9.2(h) and (i) require the processing to be carried out by a professional (or other person) who is subject to an obligation of professional secrecy.)
The key test here is ‘necessity’. Is it strictly necessary to conduct the processing of health data in this manner in order to safeguard employees and/or combat the threat of the coronavirus? This will depend largely on the level of threat posed by the coronavirus in the UK, whether the intended measure is likely to be effective in combating that threat and whether any alternative, effective but less intrusive measures are available. The employer should also consider how it can reduce the level of intrusion caused by the testing or assessment (‘proportionality’). If a medical assessment is needed, will the employer conduct this through Occupational Health, or rely on the employee’s own GP? What results will be disclosed to the employer in the light of the specific purposes for processing the data? Finally, how long will these records be kept and by whom? Again, an assessment of the risks and rights of data subjects should be conducted. If there is likely to be a high risk to the rights and freedoms of individuals, or special category data processed on a large scale, then a Data Protection Impact Assessment (‘DPIA’) should be carried out, and remedial measures put in place, before the data is collected.
Several of the above grounds for processing special category data require suitable and specific measures to safeguard the fundamental rights and interests (or freedoms) of the data subject(s) involved. Furthermore, the Data Protection Act 2018 provides that there must also be an appropriate policy document in place to support the processing when it is required to comply with laws in connection with employment, social security and social protection or on the basis of the public interest. This separate policy should explain the procedures for complying with the data protection principles (in Article 5 of the GDPR) and the retention of this type of data. Whatever the business decides to do, it should provide employees with clear information about its plans and how their personal data will be processed (notice). It is worth revisiting existing employee privacy notices and policies to address any gaps, if necessary, whilst prioritising the efforts to protect employees’ health. It may be necessary to provide a supplementary privacy notice with key information about the additional purposes of processing personal data and special category data.
While some European supervisory authorities have issued GDPR guidelines for companies to consider when putting in place measures to combat the threat of COVID-19 (e.g., in Italy, Denmark), neither the ICO nor the EDPB have issued guidance yet. We will update this blog as further guidance is forthcoming.