Data Protection and COVID-19

Businesses may be required to share information quickly, and adapt and change the ways in which they work as a result of the coronavirus (COVID-19) outbreak. However, despite the unprecedented nature of the virus outbreak, businesses must still consider immediate business and staff interests in light of data protection laws. We have considered some of the key issues below.

If an employee has COVID-19, is this considered to be their sensitive personal data?

Yes. Health data, including whether an individual is suffering from a specific illness, is special category data. Special category data is personal data that needs more protection because it is sensitive, so there is a higher threshold to meet in order to process this data lawfully.

So, can we process health information about staff in response to COVID-19?

Yes, but the processing must be proportionate and you must have a specific lawful basis for processing such information. In an employment context, employers typically rely on compliance with existing laws and regulations to collect health data (for example, the legal obligation to make reasonable adjustments for disabled employees).

An employer’s duty of care towards its staff and its obligation to ensure employees’ health, safety and welfare at work means that you can and should keep staff informed about COVID-19 cases within your company. You can also ask your staff to confirm if they have been to a particular high risk country, fall within a vulnerable group, or if they have any COVID-19 symptoms.

In the unfortunate event that one of your staff members is infected, you may not need to tell other staff members the name of the affected individual and you should not provide more information than is necessary. What is necessary will depend on the particular circumstances and will need to be considered on a case-by-case basis to ensure the information shared is proportionate. Considerations should include the extent to which any other individual has been in close contact with the affected individual, particularly if any of those individuals are high-risk, or any information that might help authorities better manage COVID-19.

You should consider taking steps now to notify staff of how their personal data will be handled in responding to any potential or confirmed case of COVID-19 in the workplace.

There may be some situations where you need to share health information with third parties. This will also need to be considered on a case-by-case basis and in some situations seeking consent from the individual may be appropriate if you do not have another basis under which to disclose the personal data. The Government also may bring in new laws that mandate sharing of certain health information with hospitals and local authorities to better deal with the COVID-19 pandemic.

Remote working and data security – what steps should we take?

There may be additional data security concerns associated with remote working. You will need to ensure that your existing security measures are appropriate when considering the risk of any harm to individuals, and make any technical and organisational enhancements that may be necessary. The requirements under data protection laws are the same irrespective of whether the data is processed in an office or remotely.

You may also need to consider whether staff should be prevented from printing paper files, as secure destruction may be hard to implement and monitor.

Other considerations will include whether staff are prohibited from using their own devices to perform their roles and ensuring that any internet connection used is secure and not open to the public. You should ensure all devices, Virtual Private Networks (VPNs) and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software), and have strong password credentials in line with National Cyber Security Centre guidance.

We are here to help

We have a team of data protection and employment experts who can assist you with any additional questions or concerns you may have as this matter progresses. Please fill in the enquiry form to find out more.

View Article
Coffin Mew

Coffin Mew

Coffin Mew
Coffin Mew is an innovative and entrepreneurial regional law firm with offices across the South and Thames Valley areas. They advise entrepreneurs, privately-owned organisations and their owners and private landowners as they manage their commercial risk, people, corporate structures and transactions, estate and property management, and wealth management.