Recent events have brought the GDPR back on to the agenda as the implications of how organisations are going to be expected to deal with the current COVID-19 epidemic have become apparent. There will clearly be a necessity for employers to ensure that the risk of infection to their staff, customers and the general public is minimised. At the same time they must be aware that the information they are collecting during this process can have significant privacy consequences.
Collecting data legally
The detailed guide to the GDPR published by the Information Commissioner's Office (ICO), available at assets.publishing.service.gov.uk, shows that provision was made in the Regulation to permit the processing of special category data if:
“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”.
According to the ICO, the processing must be demonstrably necessary for reasons of public interest in the area of public health. While the term ‘public interest’ is not defined, it clearly implies a benefit to the wider public or society as a whole, rather than to the interests of one individual or organisation. In particular, the GDPR makes clear this condition should not enable processing for other purposes by employers, or by insurance or banking companies.
Applying the exemption
Collecting data under this provision does not require an appropriate policy document to be in place. It would apply where the processing is necessary for:
public health monitoring and statistics
NHS resource planning
public vaccination programmes
responding to new threats to public health (such as epidemics, pandemics or new research findings)
clinical trials of drugs or medical devices
regulatory approval of drugs or medical devices
reviewing standards of clinical practice.
In addition, the GDPR also specifies two circumstances where the normal right to erasure will not apply to special category data:
if the processing is necessary for public health purposes in the public interest (protecting against serious cross-border threats to health, for example, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
if the processing is necessary for the purposes of preventative or occupational medicine (where the processing is required for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (such as a health or social work professional).
In the workplace
It is important that employers do not get ahead of the general guidance issued by the Government and health professionals. They should not, for example, introduce measures such as the recording of compulsory temperature checks or threatening disciplinary action if employees do not follow good practice in terms of stopping the spread of the coronavirus (no handshakes, for example, or failure to wash their hands at specified intervals) unless this is required by the relevant authorities.
Employers should also remember that the collection of medical information can only be carried out by a medical professional who can share the relevant medical data gathered with the employer under professional medical rules. While it would be permitted for an organisation to supply thermometers to staff so that they can monitor their own health, they cannot be compelled to do so.
Organisations must conduct risk assessments to understand the legal implications of any protective measures that they do decide to introduce and, as the World Health Organisation (WHO) has insisted from the very earliest days of the outbreak, must be as transparent as possible by keeping employees fully aware of the steps taken through regular privacy information and notices. Most GDPR-compliant organisations will have appointed a data protection officer and they should be prepared and ready to deal with questions related to the collecting of personal data with regard to exposure to COVID-19.
When enough is enough
Although the legislation, both the GDPR and the 2018 Data Protection Act 2018 (Schedule 1, condition 3), allows for the collection and retention of health data for the public interest reasons described above, it is important to note that the general data minimisation principle still applies. Care should be taken to gather no more information than is required in the circumstances and to retain it for no longer than the situation dictates. As always with data protection, the question needs to be asked: “Do we really need this information and is there a less intrusive way of achieving the same goal?” Even during a public health emergency, it is incumbent on organisations to avoid collecting, processing, or disclosing data unnecessarily.
Working from home implications
As the crisis has developed, the emphasis has shifted away from the workplace with as many people as possible now being required to adapt to working from home (WFH). The lack of time to prepare will have meant that in many cases this has resulted in less than optimum arrangements with employees perhaps using their own laptops or PCs to access data held by their organisation and with their employer having had little time to assess the extent to which the machines and internet connections being used are compliant with their usual cyber security standards.
Given the problems that many organisations will be experiencing with regard to the intricacies of furlough leave and the business continuity grants for which they may or may not qualify, it is understandable that data protection will not be high on their priority list. However, it would be a sensible precaution if they made some effort to introduce the following basic precautions:
remind those working from home that the organisation’s data protection policy is still in place during the current emergency;
ask them to confirm that they are using a secure network connection and that their malware/virus protection is up-to-date;
when transferring data in either direction, ensure that it is encrypted if at all possible;
remember that the requirements of the GDPR are still in place so, if any data breach occurs, the person responsible (or who discovers the loss) must report it immediately and take swift action to mitigate any damage; and
if there is some data held by the organisation that is highly confidential and would not under normal circumstances leave the premises, the employer should identify it and ensure that it is not accessible and that staff are aware of the restriction.