Following the coronavirus (COVID-19) lockdown, the return to the workplace is presenting organisations across the globe with a number of challenges. In this blog, we will be addressing the challenge of maintaining compliance with applicable data protection legislation as new controls are proposed that involve processing staff health data for new purposes.
The Data Protection Compliance Wheel
Download It Now!
Assess the purpose and benefits
It goes without saying that every workplace is unique and, as such, presents different risks. The first step for your organisation is to conduct a thorough risk assessment, in accordance with Government guidelines applicable to your sector. This will identify any areas where individuals might be vulnerable to the threats presented by COVID-19 and where safeguards need to be developed and implemented to permanently or temporarily reduce the likelihood or impact of that threat materialising. As an example, access and exit points to your building may be more congested, so a mitigating control could be to stagger arrival and departure times. Different working environments will present different risks, and the risk assessment outcomes and decisions need to be thoroughly documented.
Assess the risks
At this stage, you will need to consider whether a data protection impact assessment (DPIA) is appropriate. DPIAs are mandatory in cases where the processing is likely to result in a high risk to the rights and freedoms of data subjects. (It is important to remember that the findings of the DPIA should inform the design of your controls and may even push you to seek alternative, less intrusive approaches. The following sections will also be part of your DPIA).
Is all of the personal data you are intending to collect necessary for the purpose?
Some of your selected measures may have privacy implications. You may decide, for instance, to screen and temperature check staff and visitors before allowing them on site. This has the potential to be quite intrusive and will need to be carefully considered to ensure it is appropriate. If so, you will need to be mindful of the amount of data to be processed which will vary between organisations. For example, do you need to record the names of those you have checked? Or, can you achieve the same outcome without doing so? Do you need to record precise temperatures or could a simple yes/no be sufficient? Remember that ‘processing’ covers everything from collecting, storing, disclosing/sharing, using and deleting the data from collection to destruction.
Is the new processing compatible with the existing purposes?
If you will be using existing employee personal data that was collected for the purposes of administration of employment and managing employees, you, as the employer (and data controller) must ensure that the processing of the data you need to use for your safeguarding measures is not incompatible with the original reason for collecting it and the lawful basis that was used. You may be able to continue processing under the original lawful basis that you applied, provided that your new purposes are compatible. The key thing is to make sure that the additional use of employee data would not be a surprise to employees and other categories of data subjects (such as visitors, customers etc) and ensure that they are fully informed about the new use.
Stick to the ‘principles’
Although most regulators are showing a degree of understanding to the challenges faced by data controllers and processors, they are clear that the existing legislation continues to apply. Keep the data protection principles (Article 5 of the GDPR) ‘front of mind’ and ensure that your processing is compliant with the requirements. Amongst other things, personal data must be processed securely, kept to a minimum, retained only for as long as necessary for the purpose, be accurate and up to date, adequate, relevant and be processed fairly for legitimate purposes.
Following lockdown, one of the key data protection principles you need to be cognisant of is the requirement to process data in ‘a transparent manner’. Data subjects have a right to be informed about data processing which relates to them. Article 13 sets out the information that must be provided to individuals at the point at which the data are obtained. You are only obliged to provide information they don’t already have. Assuming you have previously provided them with privacy notices you can, therefore, exclude some of the arduous elements such as setting out their rights. Also bear in mind that you might collect data about other persons indirectly and they also have a right to be informed. This, for example, could be the case where you need to know whether a member of staff has vulnerable dependents. Ideally, you would record a simple yes/no (data minimisation), but in cases where you need to collect more data, you may need a mechanism for providing information about the processing to the third person.
Identify a lawful basis
DP law requires controllers to establish lawful bases for processing health-related data by relying upon at least one of the grounds set out in Article 6 and, because health data is considered a ‘special category’, one of the grounds from the list provided in Article 9. In the COVID-19 context, perhaps the most appropriate Article 9 grounds might be “the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health…”, (Article 9 (i)).
As consent cannot be used in the employment context and consent for processing health data must always be explicit, specific and informed, most data controllers rely on an exemption from the explicit consent rules for processing health data for employment. However, it is unlikely that any existing consent obtained from non-employees was secured in relation to a COVID-19 (public health) situation. You may, therefore, need fresh explicit consent for the new purpose, or have to identify alternative lawful bases for the new processing.
When selecting a lawful basis, you should always pick the most robust and don’t forget to maintain a record. ‘Consent’ as a lawful basis, for example, is best avoided if at all possible, due to its ephemeral nature. It may also not be valid, as it needs to be ‘freely given’ and there is always an imbalance of power between employers and employees that means the latter may not feel free to refuse. Again, ensure you record the lawful basis in your record of processing.
In the ‘return to the workplace’ scenario, your lawful basis could be the need to comply with health and safety legislation, occupational health, medical conditions/reports written by a medical professional or to enable compliance with another law to which your organisation is subject. If you, as an employer, can’t find lawful grounds under Articles 6 or 9 because the use of that data is not for the employment purpose, then you will need to obtain and record the employee’s explicit consent for the processing. If this is the case, be mindful that consent must be capable of being withdrawn, and offering unfair penalties or inducements to obtain that consent is prohibited.
Be aware that it’s often not just employers involved. Other organisations are likely to need to process some aspects of this data, e.g. building management companies and landlords. As such, some third-party contracts will require scrutiny to confirm that contractual conditions and controller/processor relationships are established. This will help cover disclosures or questions asked of suppliers if they are controllers in their own right.
Respect data subject rights
The data protection laws have strengthened data subjects’ rights and the data controller must facilitate the exercising of those rights. Timescales are tight in responding to data subject requests and although there is some conditional leeway built into the legislation, you should not expect an exemption simply because these are unusual times. You need to review how you can ensure data subject rights are supported by your organisation. The additional data you are processing as a result of your new controls will be in scope of the rights to access, erasure, rectification etc. As such, you should ensure that your policies and procedures are still appropriate, and you remain able to achieve compliance. Check, for instance, that you haven’t furloughed the person charged with receiving and processing data subject access requests. If so, has someone else been given responsibility for regularly monitoring all the different communication formats (e.g. email, post, voicemail) where requests can be made in order to avoid unnecessary delays?
As with all data protection matters, you should keep records of all your discussions and decisions. Regulators are like teachers; they want to see your ‘working out’. You will receive credit for trying to reach the right conclusion, even if you got the answer wrong and, conversely, regulators will take a dim view if you cannot show any evidence of your decision making process. This is the case even in the absence of a breach or complaint, as the ability to demonstrate compliance (accountability) is a core requirement of the data protection legislation. Being unable to do so could land you in hot water!
In all cases, the purposes of the processing, categories of data subjects and the lawful bases (preferably assessed, determined and approved by performing an internal DPIA) must be documented on the Data Controller’s Register of Processing (RoPA).
Audit your compliance
It is also important that you regularly audit your approach to ensure it remains compliant, relevant and appropriate as the COVID-19 situation and government guidelines develop and change.
How URM can help
In this blog, we’ve addressed a number of the data protection factors and issues facing organisations in the ‘return to work’ scenario following lockdown. Given the scale of challenges facing organisations, it is understandable that many will not have the bandwidth to tackle all, if any, of the above. If your organisation is in this position, URM‘s experienced consultants can provide pragmatic, expert advice allowing you to focus on steering your business through the changes required. As well as helping you to carry out your COVID-19 risk assessment, we can offer practical, tailored advice and assess each aspect of your risk treatment plan to ensure that you maintain your GDPR and data protection compliance every step of the way.