In their efforts to minimise risks of infection to staff and others, collecting and disseminating information, organisations must not forget about data protection, Paul Clarke warns.

After all the publicity and warnings a couple of years ago, many employers will have mentally ticked the General Data Protection Regulation (GDPR) off their to-do list, secure in their new policies and the privacy notices added to their websites and company literature.

Unfortunately, however, recent events have brought the GDPR back onto the agenda as the implications of how organisations are going to need to deal with the current COVID-19 epidemic become apparent. There will clearly be a necessity for employers to ensure that the risk of infection to their staff, customers and the general public is minimised. At the same time they must be aware that the information they are collecting during this process can have significant privacy consequences.

Go anywhere interesting this year?

As restrictions on travel and the need to self-isolate after exposure to the possibility of infection begin to grow, it will become more and more important that employers are aware of the travel plans of not only the people who work for them but also of their families.

While companies may be comfortable with checking on business travel plans, they may well be cautious about seeking information about personal and holiday trips or about visits to their employees by friends or relations from areas known to have been badly hit by the coronavirus.

Collecting data legally

Turning to the detailed guide to the GDPR published by the Information Commissioner’s Office (ICO), available at GOV.UK, we can see that provision was made in the regulation for exactly this eventuality.

Article 9(2)(i) permits the processing of special category data if:

processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

According to the ICO, the processing must be demonstrably necessary for reasons of public interest in the area of public health. While the term “public interest” is not defined, it clearly implies a benefit to the wider public or society as a whole, rather than to the interests of one individual or organisation.

In particular, GDPR makes clear this condition should not enable processing for other purposes by employers, or by insurance or banking companies.

Applying the exemption

Collecting data under this provision does not require an appropriate policy document to be in place. It would apply where the processing is necessary for:

  • public health monitoring and statistics

  • NHS resource planning

  • public vaccination programmes

  • responding to new threats to public health (such as epidemics, pandemics or new research findings)

  • clinical trials of drugs or medical devices

  • regulatory approval of drugs or medical devices

  • reviewing standards of clinical practice.

In addition, GDPR also specifies two circumstances where the normal right to erasure will not apply to special category data:

  • if the processing is necessary for public health purposes in the public interest (protecting against serious cross-border threats to health, for example, or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices)

  • if the processing is necessary for the purposes of preventative or occupational medicine (where the processing is required for:

    • the working capacity of an employee

    • medical diagnosis

    • the provision of health or social care

    • the management of health or social care systems or services);

    this only applies where the data is being processed by, or under the responsibility of, a professional subject to a legal obligation of professional secrecy (such as a health or social work professional).

Additional data collection in the workplace

It is important that employers do not get ahead of the general guidance issued by the Government and health professionals. They should not, for example, introduce measures such as recording compulsory temperature checks or threatening disciplinary action if employees do not follow good practice in terms of stopping the spread of the coronavirus (no handshakes, for example, or failure to wash their hands at specified intervals) unless this is required by the relevant authorities.

Employers should also remember that the collection of medical information can only be carried out by a medical professional who can share the relevant medical data gathered with the employer under professional medical rules. While it would be permitted for an organisation to supply thermometers to staff so that they can monitor their own health, they cannot be compelled to do so.

Organisations must conduct risk assessments to understand the legal implications of any protective measures that they do decide to introduce and, as the World Health Organization (WHO) has insisted from the very earliest days of the outbreak, must be as transparent as possible by keeping employees fully aware of the steps taken through regular privacy information and notices.

Most GDPR-compliant organisations will have appointed a data protection officer and they should be prepared and ready to deal with questions related to the collecting of personal data with regard to exposure to COVID-19.

When enough is enough

Although the legislation, both GDPR and the Data Protection Act 2018 (Schedule 1, condition 3), allows for the collection and retention of health data for the public interest reasons described above, it is important to note that the general data minimisation principle still applies. Care should be taken to gather no more information than is required in the circumstances and to retain it for no longer than the situation dictates.

As always with data protection, the question needs to be asked: “Do we really need this information and is there a less intrusive way of achieving the same goal?” Even during a public health emergency, it is incumbent on organisations to avoid collecting, processing, or disclosing data unnecessarily.

Last reviewed 16 March 2020