Businesses may be required to share information quickly, and adapt and change the ways in which they work as a result of the coronavirus (COVID-19) outbreak. However, despite the unprecedented nature of the virus outbreak, businesses must still consider immediate business and staff interests in light of data protection laws. We have considered some of the key issues below.
If an employee has COVID-19, is this considered to be their sensitive personal data?
Yes. Health data, including whether an individual is suffering from a specific illness, is special category data. Special category data is personal data that needs more protection because it is sensitive, so there is a higher threshold to meet in order to process this data lawfully.
So, can we process health information about staff in response to COVID-19?
Yes, but the processing must be proportionate and you must have a specific lawful basis for processing such information. In an employment context, employers typically rely on compliance with existing laws and regulations to collect health data (for example, the legal obligation to make reasonable adjustments for disabled employees).
An employer’s duty of care towards its staff and its obligation to ensure employees’ health, safety and welfare at work means that you can and should keep staff informed about COVID-19 cases within your company.