Data protection and coronavirus: what employers need to know
As an employer or HR manager –in a business continuing to operate in these difficult times, you may face questions in the coming weeks on employees’ health during the COVID-19 pandemic. Specifically, you may have employees asking if a colleague has symptoms or diagnosis of Coronavirus infection or become aware that a colleague has tested positive and may have exposed fellow colleagues. The key message from the UK’s Information Commissioner’s Office (ICO) is that employers and organisations must still follow data protection principles when processing personal data in relation to COVID-19. The ICO emphasises the importance of “being proportionate” – that is, balancing the employer’s obligation to ensure the health and safety of employees with the individual’s right to have their personal data and privacy protected.
The ICO stated last week that while “you should keep staff informed about cases in your organisation […], you [probably] don’t need to name individuals and you shouldn’t provide more information than necessary”. However, from a data protection point of view, the approach of not-naming-names often does not completely eliminate the risk of disclosing personal data about an individual employee (for instance, if your organisation is small it could be relatively easy for employees to work out who is the relevant individual where details other than name are given if that information is sufficiently detailed or specific or colleagues are aware a person is unwell or self-isolating). Hence disclosing even general information about testing and results could, in certain circumstances, result in individuals being identified (or at least suspected) of having tested positive.
So what does this mean in practical terms?
- Give very careful consideration before informing employees if someone in the organisation has been tested or has tested positive, only share information to the extent absolutely necessary and proportionate.
- Remember, not-naming-names does not mean you haven’t revealed who has been tested/tested positive – consider whether individuals will be identified by surrounding circumstances.
- Following, implementing and imposing on staff who are required to continue in work the government guidelines on social distancing and self-isolation to the letter should help reduce the spread of COVID-19, and as an employer this will help you satisfy your duty of care towards employees.
- Based on current guidance and the ICO’s recommendations we consider that, in most cases, the most appropriate approach is very likely on the side of maintaining individual employee confidentiality. Hence confirming only very general, minimal information and only to those who need to know the information, e.g., confirming to line manager or fellow workers that a person is absent or self-isolating, but not revealing details on the reasons for that (whether illness, long term condition (shielding) or a positive test result). This approach may require review in circumstances where more detailed information should be disclosed in order to protect the health/welfare of others. However, given the stringent measures introduced by the Government restricting social contact and self-isolating for illness, it is becoming increasingly difficult to identify circumstances where informing fellow employees of a person being tested or having a positive result for Coronavirus will actually change behaviours in those few working environments which continue to operate. Hence further reinforcing the likelihood that, in most cases, disclosure of testing or a positive result will not be appropriate in the workplace without the specific consent of the individual in question.
Square One Law is here to talk and help you through any questions or concerns you have about data protection or any employment or commercial matters in relation to COVID-19.