What do we need to do?
Privacy policy – You must make sure the relevant privacy policies deal with how you will process Covid-19 data. You should have an employee privacy policy and this may already deal with health data (if it doesn’t, it should). You might also need to look at privacy policies for customers, visitors and suppliers. This ensures that processing is lawful, fair and transparent.
Lawful processing conditions – You will need to consider which processing conditions you are relying on (remembering that you need both an Article 6 condition and an Article 9 condition – this is the part of the GDPR which deals with special category data). As a lot of the data you collect will be about employees, you can’t use consent so you will have to find another lawful reason under GDPR which allows you to process the data.
Appropriate policy document – When you are considering your Article 9 processing conditions, remember you must also have an “appropriate policy document” in place.
Processing record – Finally make sure your processing record is up to date with information on what data you collect and use.
Related FAQs
Small suppliers (defined by reference to certain financial indicators) are temporarily exempt from these new restrictions until 30th March 2021 in order to account for the difficulties to small suppliers during the Covid-19 pandemic.
There are also certain industries that are exempt from these restrictions (for example financial services). The Secretary of State may also create further exemptions framed by reference to kinds of company, supplier, contract, goods or services or in any other way.
It remains the case that anyone who has symptoms, however mild, or is in a household where someone has symptoms, should not leave their house to go to work. Those people should self-isolate, as should those in their households.
It is unlikely that an employer can place such a requirement on staff without infringing the employee’s privacy. If the employee is acting in accordance with the rules, limiting their activity would likely be considered unreasonable.
The guidance states that people should aim to wear a face-covering in indoor spaces where social distancing is not always possible and they come into contact with others, for example on public transport or in some shops, and potentially in the workplace. Face coverings do not mean face masks such as clinical masks worn by certain key workers as PPE, which should be reserved for those people.
Staff working in areas that are open to the public must wear face coverings, this includes:
- shops
- supermarkets
- bars
- pubs
- restaurants
- cafes
- banks
- estate agents
- post offices
- public areas of hotels and hostels
If these businesses have taken steps in line with Health and Safety Executive guidance for COVID-19 secure workplaces to create a physical barrier between workers and members of the public then staff behind the barrier will not be required to wear a face covering.
For other indoor settings, employers should assess the use of face coverings on a case by case basis depending on the workplace environment, other appropriate mitigations they have put in place, and whether reasonable exemptions apply.
Crucially the phrase “force majeure” has no specific meaning in English law. As a result, there is scope for complex legal argument, including as to whether the effects of the coronavirus outbreak can amount to force majeure in the first place. If the coronavirus crisis deepens, force majeure provisions could become relevant in the following ways:
- suppliers to your business might seek to invoke force majeure
- you may need to invoke force majeure under your own contracts
Each of these will need careful analysis of the relevant contract against the applicable factual background. Unfortunately, the position is unlikely to be clear cut.