Are employers protecting personal data as well as health?

May 22, 2020

Back to work - data protection implications

For data protection practitioners, the COVID-19 pandemic has created an entirely new set of privacy concerns. Among them are a rapid move to remote working practices, changes in technology needs and increased risks from cybercrime. Now as we move into the phased reopening of the country, the new working practices required have additional data protection implications.

The Department of Business, Enterprise and Innovation has recently provided the “Return to Work Safely Protocol” to help employers and employees return to work in a safe way.  I have summarized how these requirements impact on data protection and the steps that an employer must take to ensure compliance.

Requirements impacting on data protection

The Protocol states that employers must:

  • Develop (or update) a COVID-19 response plan
  • Establish and issue a pre-return to work form for workers to complete at least three days in advance of the return to work, to assess if a worker has or may have had exposure to COVID-19
  • Implement temperature testing in line with public health advice
  • Keep a log of contacts/group work to facilitate contact tracing should a case of COVID-19 occur and inform workers and others about the purpose of this log
  • Implement physical distancing requirements which may require employers to change or amend their sign in procedures which can include their biometric systems or other use of personal data
  • Put in place a system for recording visits to the workplace/site(s) by workers/others as well as visits by workers to other workplaces (business travel)
  • Prepare a plan to manage a suspected COVID-19 case in the workplace which may need to include transport to a medical facility, incident assessment and assisting the HSE if required.

Workers must:

  • Complete and return the pre-return to work form before they return to work
  • Inform their employer if there are any other circumstances relating to COVID-19, not included in the form, which may need to be disclosed to allow their safe return to work
  • Complete any temperature testing as implemented by the employer and in line with Public Health advice
  • Report any symptoms that they may develop immediately to their employer

Data protection conformity with a return to work

As data controllers, employers should ensure that they incorporate data protection actions in their COVID-19 response plan as follows:

  • Transparency: inform data subjects of the new data processing activities by updating your privacy notices and informing staff appropriately of this
  • ROPA (record of processing activities): update your Article 30 records to include the new processing activities required above
  • Organisational and technical measures: review and risk-assess as part of the COVID-19 response plan new measures which may be required to protect data now being collected
  • Training: ensure any training on the new protocols includes appropriate references to data protection obligations
  • DPIA (data protection impact assessment): If you are considering a change in a processing activity (e.g. how biometrics are used) with an existing DPIA or if the alterations enter into scope for a DPIA, implement your DPIA policy

Legal basis for implementing the return to work procedures

Employers need to ensure they update their privacy notices and statements with the correct legal basis for the new measures involving personal data processing. Based on the advice from the Department of Business, Enterprise and Innovation, the below legal bases are currently the most appropriate.

Personal Data Special Category Data (Health)
GDPR Article 6 (1) (e): GDPR Article 9 (2) (i):
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;


processing is necessary for reasons of public interest in the area of public health

The requirement for reporting a case of COVID-19 will not be on the employer (our emphasis) under the Safety, Health and Welfare at Work Act 2016. Under the Infectious Diseases (Amendment) Regulations 2020, a medical practitioner is required to report a case to the HSE.

As we know now, the pandemic is a developing situation. Employers should keep up to date with the latest measures introduced by Government and any advice issued as a result. Hopefully, organisations will be able to find a way to incorporate the measures to enable as many people as possible to get back to work safely.


Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here

About the Author: Anne Marie Moore

Let’s Talk

Please leave your contact details and a member of our team will be in touch shortly.

"*" indicates required fields