What are the data protection implications of holding Covid-19 health data?
The ICO is providing new guidance to organisations regarding data protection and coronavirus, which can be accessed here: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/
Information about the Covid-19 health status of individuals is special category data under the GDPR. This means it is high risk which has implications for how you use it, store it and keep it secure.
You will already hold health data about your employees as this is necessary to provide a safe, accessible place to work and to make reasonable adjustments to the workplace. You now need to make sure that the information you gather about your employees, visitors to your sites, customers and suppliers about Covid-19 is processed in accordance with data protection laws.
Related FAQs
Employees with visas should be treated consistently with the wider workforce. When their furlough leave ends, they should return to work and their pay should be reinstated. If you agree a pay cut or reduction in working hours, you need to ensure that sponsored workers are still earning above the minimum salary for their role and working in excess of the minimum number of hours (see above).
The flexible furlough scheme is now in place and can be used for employees who have previously been furloughed for a consecutive period of at least three weeks. The flexible furlough scheme remains in place until 31 October 2020.
Yes, but only for work purposes and where it is unreasonable to do so from home. Work colleagues cannot meet to socialise.
The outbreak is certainly going to have an impact on new lease negotiations.
Undoubtedly many transactions will be put on hold or indeed stop entirely. Where matters are ongoing, tenants may well look to strengthen rent suspension provision.
It is also possible that tenants and their representatives will also now seek to include termination rights for unseen events. In this regard, the concept of force majeure may start to appear more often in leases.
In both of the examples above, such attempts are not likely to be well received from landlords who will undoubtedly suggest that tenants ensure that their business interruption insurance policies are robust enough to protect the tenant in the event of any future pandemic events.
Another approach tenants might adopt going forwards in negotiations for a new lease (or indeed seeking to vary existing leases), is to move away from the traditional market rent model to a turnover rent arrangement. This will offer some protection going forward if trading conditions deteriorate, but again getting institutional landlords to agree such an approach may prove difficult.
If an employee is required under government guidance to wear a face mask during the course of their employment and there is no applicable exemption, any fine issued would be payable by the employee, not the employer.
Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.
Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.
Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.
Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.