ADVISOR: HR 53
GDPR issues arising as a result of Covid-19 CAROLINE MCENERY managing director, The HR Suite
As Ireland gradually emerges from lockdown, Caroline McEnery of The HR Suite examines the sensitivities involved in the collection, storage, disclosure and retention of employees’ medical data, and outlines how to ensure your company stays on the right side of the law
t is safe to say that Covid-19 has challenged employers in adapting to the rapid development of the ‘new norm’ whilst also continuing to strike a balance between the business and their employees’ best interests. That certainly is a challenge of huge proportions that not many businesses could have been prepared for. As our Covid-19 situation develops and we navigate this new storm, businesses begin to think about their contingency plan in the reopening or continuation of their business in the coming weeks, months and perhaps even years. It is prudent for businesses to remember that whilst this crisis has brought about definite operational challenges in the best interests of their employees’ safety, it has also raised the bar in terms of general data protection regulation (GDPR) and the volume of personal data businesses now need to collect.
Safeguarding medical information The Commission Nationale pour la Protection des Données (CNPD) in Luxembourg has drawn a reasonable data protection concern over suggestions that daily health statements or temperature checks could be requested by employers, writes Caroline McEnery
Medical information pertaining to an employee is considered sensitive personal data and requires heightened vigilance from the employer in collecting personal information, which ultimately must be necessary and serve a legitimate purpose for the legality of its processing. In the Irish government’s return to work protocol, it clearly identifies that additional measures need to be taken on behalf of the employer in relation to their employees before and during any return to the workplace. For example, a pre-return to work form, notification of feeling unwell and a Covid response team. Each of these measures includes small print which silently whispers GDPR! The ripple effect of their input will mean that the employer holds the additional responsibility of safeguarding this information. An employer, when collecting such data, must be clear and transparent in their communication of the purpose for collecting and retaining any information relating to an employee. Particularly, where medical data is concerned.
Clear response plan
CONTACT THE HR SUITE: If you require further information or advice on HR, please do not hesitate to contact The HR Suite’s consultants on (01) 9014335 or (066) 7102887 or email the company at firstname.lastname@example.org.
So, what happens when the alarm bells are raised for a suspected or confirmed case in the workplace? Measures taken in response to a suspected case of Covid-19 in the workplace must involve a heightened awareness from a company perspective. This ranges from who is permitted to have access to the data, who is on the Covid response team trained on appropriate data collection and storage, and how much information should be relayed to a person at risk that may need to self-isolate. It is imperative that a clear response plan pays tribute to these key GDPR matters.
ShelfLife June 2020 | www.shelflife.ie
For each data processing action in relation to the collection, storage, disclosure or retention of data, a balancing of interests must be struck between the legitimate interest of the employee to keep their personal data private and the obligation of the employer to ensure the health and safety of their employees at work. It is the employer’s legal obligation under the Health, Safety and Welfare at Work Act to protect the health and safety of their employees whilst at work. In this current pandemic, health and safety must prevail when it becomes necessary to communicate to staff regarding the possible presence of Covid-19 in the workplace.
Disclosure In the best interests of the health and safety of all employees, the employer may disclose the exposure to a person or people identified as at risk, to an extent that is proportionate and necessary, while refraining from revealing any personal data that is identifiable to the employee suspected or confirmed to have contracted the virus. In emergency circumstances, where an employee is physically unable to give consent to process their personal data, it is permissible to process this individual’s data to protect the interests of the employee and others in the workplace. Irrespective of these measures, employees must continuously be reminded of company policy and the requirement to remain at home if they begin to feel symptomatic. Employees must notify their employer if they begin to feel unwell and are showing symptoms related to Covid-19, so as to minimise the risk of exposure and necessity for the employer to consult with any employees on the need to self-isolate.
Data protection concerns Although there has been no advice published at present in relation to the dos and don’ts of GDPR and the current pandemic from the Data Protection Commissioner in Ireland at the time of writing, the advice available from the Commission Nationale pour la Protection des Données (CNPD) in Luxembourg has drawn a reasonable data protection concern over suggestions that daily health statements or temperature checks could be requested by employers. This is an interesting consideration as many talks continue around the possibility of temperature checks in the workplace in the not-so-distant future. The HR Suite can advise you and your organisation how to be proactive in managing GDPR issues that arise as a result of Covid-19 in your organisation. If you require further information or advice on the above, please do not hesitate to contact its HR consultants on (01)9014335 or (066)7102887. n