The Coronavirus (COVID-19) Pandemic and Data Protection: Guidelines for employers regarding privacy laws during the pandemic.
With recent developments in the global arena, the outbreak of the corona virus has led to many changes in the workplace. Numerous employees have taken to working from home with the new push for social distancing and self quarantining. There has been lots of concern over who may or may not be infected by, or have definitely been exposed to the virus or may have visited a country with severe outbreaks. The sharing of information has become critical as medical and other professionals recognize the need for disclosure for the sake of the health of the general public.
The ICO recently released a statement regarding data protection during the coronavirus (COVID-19) pandemic in which the organization expressed an understanding of the fact that businesses will need to adapt the way that they work. While there will be understandable delays where individuals or businesses make information rights requests during this pandemic, the ICO is unable to extend the statutory timescales. However, the ICO maintains that they will not penalise organisations who need to prioritise other aspects of their business over the usual compliance and information governance.
For the duration of this global pandemic, office staff should be informed about any cases of the virus within the organisation. Names do not need to be disclosed, however because businesses do have an obligation to ensure the health and safety of their employees, data protection does allow them to divulge information on confirmed cases within the organisation.
It is not necessary to collect loads of information on employees’ health, however it is reasonable to stay informed on their travel history, or whether they are presenting symptoms of the virus. It is important, if there is a need to collect specific health data, that businesses only collect data that is necessary and treat that data with the appropriate safeguards. In the context of an epidemic, employers and relevant health officials do not need consent to process this data, especially when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.
In a recent statement, Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
If it is not possible to process exclusively anonymous data, Article 15 of the ePrivacy Directive allows Member States to introduce legislative measures for the sake of national and public security. This emergency legislation is allowed under the condition that, within a democratic society, it forms part of a necessary, appropriate and proportionate measure, given the circumstances. If these measures are introduced, the Member State will need to apply adequate safeguards, like granting individuals the right to judicial remedy.
During this time of pandemic the government, the NHS or any other health professionals may also need to send health messages to the general public either by phone, text or email. These messages are not considered direct marketing or advertising and therefore are not hindered by data protection laws.
With more people working from home or working remotely due to the pandemic, the ICO reminds businesses that the same type of security measures must be in place for people who are working remotely as is the case for workers in a normal office setting. Employees may use their own computers and other devices, however, with security measures maintained, data protection does not hinder employees who need to work from home.
Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.