The COVID-19 outbreak is now officially a pandemic. Many companies, including BH Consulting, have put business continuity plans into action to deal with the fallout from the virus.

COVID-19 is a challenge for any business from an economic as well as an organisational perspective. In order to safeguard staff health yet ensure business continuity, companies have had to embrace working from home. Many are grappling with the challenge of remote working at scale; some for the first time.

The situation is fluid and various authorities give mixed advice. The following aims to summarise current advice given and provide pragmatic recommendations to employers.

The privacy challenge with COVID-19

The main challenge is that the active measures companies are taking to contain the spread of the virus can involve capturing and using personal data. This is likely to include information about individuals who have travelled to or from risk locations, who have symptoms, or who have been tested. It may also include information as to which employees have been sent home to self-isolate and/or which visitors have been denied access to the business premises.

All this information is personal data, which is protected under GDPR. That includes health data which gets even greater protection as ‘special category data’ under Article 9. The challenge is to implement any containment measures in a way that complies with the data protection regulations.

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects.”

Processing employee and visitor data lawfully

Data protection does not hinder the management of public health. GDPR Article 6 provides a number of legal bases enabling employers and public health organisations to process personal data, without the need to obtain consent from the individual. Article 9 provides the conditions permitting the processing of special categories data such as health data.

Article 9(2) (i) (processing is necessary for reasons of public interest) is applicable, but the employer must be acting under the guidance or directions of the public health authority. In this context, it provides the legal basis for processing health data, together with the employer’s legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005.

Article 6(1)(d) GDPR (processing necessary to safeguard the vital interests) is not automatically applicable. The Data Protection Commission (DPC) stipulates that this is typically applied “only in emergency situations, where no other legal basis is available.”

Assessing the health risk of employees

The DPC suggests that it would require a strong justification based on necessity, proportionality and risk to request specific details of employees’ illnesses.

Other European Supervisory Authorities also provide relevant guidance for this European-wide regulation. In this regard, other Supervisory Authorities are much firmer, suggesting that employers are not in the position to assess the risk to the health of employees. It is the health professionals’ sole responsibility to ensure the health and safety of individuals. Therefore, employers are advised not to conduct checks on employees (e.g. temperatures) themselves. Nor should they make it mandatory for employees to fill out questionnaires to determine their health situation or recent travels.

The general recommendation is to encourage employees to voluntarily come forward with symptoms or recent travels to at-risk countries. They can encourage them to do so by explaining that this is in order to help and protect others. Employers should consider putting in place a mechanism such as a phone number or a self-service portal to facilitate an easy exchange of information.

Be transparent and open

As with any processing of personal data, employers must be transparent about the purpose, scope and duration of the data collected. This information must be provided to the individuals prior to processing.

Employers need to make sure that employees and visitors are informed about the purposes of processing, legal basis and other requirements, following GDPR Article 13 (the right to be informed/transparency). Employers should review their HR privacy policy notice to ensure that this is covered.

If an employer plans to collect information about non-employees such as visitors, the information could be collected on special forms or online perhaps with a link to the website privacy notice.

Safeguards, retention and record of processing

Processing is permitted once the organisation implements suitable safeguards like limitation on access to data, strict time limits for retention, and other measures such as staff training.

Health status should only be used for these purposes and retained for the period necessary to identify risk and to implement necessary measures. So, an employer can retain the data to follow up with those testing positive to ensure appropriate support and self-isolation. However, once these purposes are fulfilled, employers must delete files or shred any information they collected.

It is also important to ensure the security of the data by only allowing access to authorised personnel and recording who has access to the data and files.

Under Article 30 of the GDPR, controllers (and processors) are also required to have records of processing activity in place. The data controller should check and ensure that COVID-19 measures are covered as part of the record of processing.

Compliant sharing and disclosure

Any sharing of COVID-19 data with third parties is subject to Article 28 processor clauses. The DPC advises against disclosing names or details of infected persons to other employees. In practice, this means the employer can inform other employees that an employee was infected by specifying the location the employee has frequented but without mentioning his or her identity.

In addition, if the information is to be shared with entities outside the EEA, an appropriate transfer solution would be required. Typically this should be the Standard Contractual Clauses.

The COVID-19 outbreak is uncharted territory for businesses. In these exceptional times, it is imperative individuals and organisation alike play their part in containing the virus while striking the right balance between protecting employees and protecting their personal data.