The Covid-19 pandemic has created difficulties for many, especially employees and employers. Many business owners have not been able to continue paying their employees. This has resulted in the laying off of many employees. For employees, apart from anxiety over their own health and despite mortgage moratoriums et cetera, this has created financial difficulties. For employers, and especially SMEs the pandemic has the potential to deal a death blow to a business that took years to build up.
As noted in a previous blog, when set in this backdrop, data protection concerns seem trivial. Nevertheless, just as fundamental rights and freedoms cannot be trampled on in a health crisis, neither can data protection rights. Indeed, because more sensitive categories of personal data are now being processed (health data, particularly)), more care should be taken to ensure that data protection rights under the GDPR are being respected and enforced.
There must be at least one legal basis to process data and all principles must be abided by. What is often forgotten is that even where derogations from the GDPR apply, the principles must still be respected and applied in any personal data processing operation. Covid-19 pandemic has created difficulties for many. While the rules should be obeyed even under extreme circumstances, these same data protection rules (such as the GDPR) do not hinder measures taken in the fight against the Coronavirus pandemic. It is conceivable that in times of emergency such as now, some data protection rules may be relaxed but it is unlikely they will ever be suspended or waived. Still, there have been many questions to GDPRXpert from clients unsure of aspects of GDPR, especially in the specific context of this pandemic. This Covid-19 pandemic creates difficulties for many. At this time, we will take a look at some of the most common questions we have been asked.
I have many of my employees working from home at least temporarily. Are there any special precautions employers need to take in relation to personal data?
Many people work from home, but clearly these numbers have increased since the pandemic. The first thing that those working from home must do from the outset is create the mindset that they are still working in the office. Remember, it is not feasible for employers to go and assess the suitability, or otherwise, of all ‘work from home locations’ (WFHL),so some basic and normal ground rules need to be emphasised.
Employees must secure their data just as if they would in the office. To do this they must take the normal precautions and act as if present at their place of employment. It is paramount they don’t allow family members, or anyone else, to just walk in to where they have set themselves up. For example, they should never leave personal data on view on a computer screen. Data protection consultants GDPRXpert frequently remind a client that is often the small oversight or lack of attention that leads to data being compromised. Employees should log off when leaving their work station or lock an area if too many people are coming and going. Working from a laptop on a couch is not a good idea if sharing an apartment or house with others! There should be strict controls on the ability to download personal data from an organisation’s system files.
If no relevant data protection policies are in place, now is the opportune time to enact some to govern how company assets and information can be accessed, where information can be stored, and how information can be transmitted. Employees must be quickly made aware of, and become competent about, the types of information considered to be confidential, trade secret, or otherwise protected. There is much anecdotal evidence of an upsurge in phishing attacks.
In the US there has been a huge rise in fraud schemes related to Covid-19, with many businesses receiving fake e-mails purportedly from the Centre for Disease Control (CDC). These emails contain malicious attachments so employees at WFHL need to be extra vigilant. In all cases these fraudsters are attempting to have their targets access and verify personal information or credentials. Employers must train their employees on how to detect and handle such scams and keep them informed about the latest threats. It is a good idea to have regular video conferencing with staff to facilitate Q&A sessions and update everyone on the latest threats. It also helps staff morale.
Only those whose essential job duties place them in the ‘need to know’ employee classification should have access to ‘special category data’, which includes health data. It is best practice to carefully review any Bring Your Own Device (BYOD) agreements, if any are in place between you and employees. In this scenario, and where special category data are being processed, it is vital that all information is encrypted in transit and while at rest on the device. For example, many in the healthcare field are now working remotely and collecting health data. In the absence of special arrangements these remote employees should be utilizing company-issued equipment and not saving company data to personal laptops, flash drives, or personal cloud storage services such as Google Drive.
It is true to say that the risks for the employer are numerous, so all care should be taken in relation to BYOD agreements. Any employer should seek to ensure that those practices do not compromise the security of, and your right of access to, your information and data, and that your policies comply with all attendant legal obligations.
In the conventional office working setting it is easy to have a quick word in an employee’s ear if an employer becomes aware of any breach of, or indiscretion concerning, a BYOD agreement. It is more complicated when employees are working remotely. Best and safe practice is for employers to consider periodic reminders of the BYOD policy and offer training sessions, as well as ongoing education regarding the importance of protecting the employer’s trade secrets, confidential and proprietary information and data. There should be strict controls on the ability to download personal data from an organisation’s system files.
“There is no questioning the advantages of BYOD agreements. It is a growing trend, one that may already be occurring at your company. Employers are implementing policies and practices that permit, or even require, their employees to use their personal electronic devices (e.g., laptops and smart phones) and data services (e.g., backup and file-sharing software) for work-related purposes. The appeal of such Bring-Your-Own-Device (BYOD) practices for both employers and employees is undeniable. Employers avoid the up-front costs and administrative hassle of purchasing laptops and smart phones as well as employees’ demands for the latest and greatest gadgets, and employees do not have to carry around multiple devices. Overall, this is a much simpler and more efficient way of doing business, right?”(Elaine Harwell, Senior Counsel, Procopio). There are security considerations nevertheless, and here are some aspects that demand careful attention.
Your BYOD policy should cover a broad range of topics, including:
- Which employees are permitted to use personal devices for work purposes;
- Acceptable and unacceptable use of personal devices for work purposes;
- Your ownership of and right of access to all employer data on employees’ personal devices and employees’ lack of privacy rights in that data;
- Your security and data protection protocols;
- Your employees’ obligations with respect to maintaining the security of employer data (e.g., a provision requiring employees to protect all devices that contain employer data with a password or PIN);
- A disclaimer that the employer is not responsible for the security of the employee’s personal data;
- Reimbursement for the employee’s use of his or her personal devices; and
- Rules and/or restrictions regarding work-related use of personal devices outside of working hours.
Can an employer let employees know the identity of a co-worker who has contracted Covid19?
We know that personal data includes an identifier such as a name. Processing includes inter alia, “…disclosure by transmission, dissemination or otherwise making available…” Therefore, sharing the name of an employee who has contracted Covid-19 constitutes personal data processing. ‘Data concerning health’ under Art.4 GDPR includes any personal data related to the physical or mental health of a natural person …which reveal information about his/her health status. In this instance we have an employee’s name, which is ‘ordinary’ personal data, and data concerning health, which falls under ‘special category data’ under Art.9 GDPR. Processing rules vary depending on the categorisation of the data involved. The legal bases for processing also differ, again depending on the category of the data.
In line with the confidentiality principle, the general rule is that the identity of an affected employee should not be disclosed to his/her colleagues or any other third parties without some legal basis or very strong justification. Having been informed by previous experiences we know that the smaller the business is, the more easily the identity of the co-worker will become known. Even in larger companies a person’s absence will be noticed and lead to unhelpful speculation, much of it on social media, as to who exactly has the virus. This speculation would be upsetting for those wrongly identified as having Covid 19. It is usually not necessary, and often will not serve a legitimate purpose to disclose the identity of an employee with Covid 19. Employers are under a legal obligation to ensure the health and safety of employees Safety, Health and Welfare at Work Act 2005 ). Informing employees of an infectious disease in the workplace would be a statutory duty (also a common law duty with an attached duty of care). Indeed, employers should carry out a risk assessment to identify the risks of a coronavirus outbreak at work, and implement steps to minimise that risk. That said, (even in the absence of obligations under health and safety legislation) it would be expected that employees would be informed of any case of Covid 19 in a work setting in order that staff could self isolate or work from home.
Any information disclosed should always be limited to the minimum necessary for a specific purpose. Someone’s identity, normally and generally, should be disclosed only where absolutely necessary and on a strict need to know basis. As evident from a notice by the DPC the key word may be ‘generally’. “Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.” The DPC also states that “the identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.”We note it does not state ‘without a clear legal basis under GDPR’. There is a world of difference between the two. Any test of what is ‘clear justification’ either does not exist, or is a subjective test. Who decides what a ‘clear justification’ is? Does a justification have to be set within a legal basis? The ultimate arbiter on this is the CJEU. It is a facile exercise to set out a justification for an action, rather than ground it on a legal basis.
From a practical perspective, to allay fears amongst all employees who are wondering how close their contact was with the infected employee, a common sense approach would be to ascertain whether the infected employee would consent to his identity being made known to his/her co-workers, with the aim of more effectively safeguarding those co-workers. For example, if a worker in a very large manufacturing plant became infected it would cause undue stress to many employees if no other information was forthcoming from the employer. Employees will worry and wonder about how close they were to the infected individual. If an employer is too specific about the area of the plant where the infected employee worked, it may be tantamount to naming the individual. The circumstances and details of any particular case will determine the nature and quality of the dilemma facing the employer.
There is no avoiding the reality that not knowing who exactly in your place of employment has contracted Covid-19 will cause undue stress on that person’s co-workers. As noted many times, data protection rights under the GDPR, and data protection and privacy rights under the Charter and the European Convention on Human Rights respectively, involve a balancing exercise with other rights. In cases like the present one, the unprecedented circumstances involved in the whole scenario suggest to us that a common-sense approach is an option that many will consider. It is an approach that carries some risk. In normal circumstances a person’s identity should not be disclosed, but in very extreme situations, such as the present one, a justifiable case could be made for releasing a person’s identity.
This action is still fraught with danger, and if an employee files a complaint it will be up to the DPC at first instance to give a decision. An employer’s justification in releasing the identity of the coronavirus victim may not withstand scrutiny by the DPC. The best advice is not to release a person’s identity unless you have obtained explicit written consent from the employee. Where explicit consent is not forthcoming our advice would be to state that a co-worker, who cannot be named at this time, has contracted covid-19. How much more information is conveyed to co-workers is dependent upon the particular, and possibly unique, circumstances of an individual situation.
There will be cases where, for example, an employer will conclude that the health and safety of all employees is best served by disclosing the identity of the employee with Covid-19. In such a situation, and because of the statutory duty on the employer by virtue of health and safety, there is at least an arguable case. Remember, although set in a different work context, ‘the indications of impending harm to health arising from stress at work must colleagues may be infected, but they should only reveal their names if national law allows it; if they can justify that such a step is necessary: and only after the affected workers have been be plain enough for any reasonable employer to realise he/she should do something about it’. (Hatton v Sutherland  2 All E.R. 1)
Ultimately, the roadblock may be formed by the twin concepts of ‘necessity’ and ‘proportionality’ that permeate through the GDPR and EU law.Views on the issue are by no means unanimous across the EU. A most recent guidance note from the European Data Protection Board says ‘employers should inform staff that colleagues may be infected but they should only reveal their names if national law allows it if they can justify that such a step is necessary; and only after the affected workers have been informed/consulted beforehand.’ Earlier we saw the slightly differing view from the DPC guidance. The U.K. ICO also takes a slightly different view. “You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees as well as a duty of care. Data protection doesn’t prevent you doing this.” The identity of affected individuals must not be disclosed to their colleagues or third parties without a clear justification.
The Appropriate Lawful Bases.
The HSE and other public health authorities would be seeking details concerning any Covid- 19 case in any context. Certain information is always needed so that authorities can effectively carry out their functions. Only recently Covid-19 was declared a ‘notifiable’ infectious disease under recent legislation. Medical doctors are mandated to report cases to the Medical Officer under the Infectious Diseases (Amendment) Regulations 2020. There is no equivalent legislation covering employers. Strangely, employers are not mandated to report infectious diseases to the Health and Safety Authority. Employees under the 2005 ct are mandated to report to their employer or the employer’s nominated registered medical practitioner if they become aware of any disease which affects their performance of work activities that could give rise to risks for the health , safety, and welfare of others at work. A clear duty is imposed on all employees to protect themselves and others. However, employers under the 2005 Act are under a legal obligation to protect employees from issues that affect their health and safety, in a negative manner. Clearly, this could easily be construed to include the novel coronavirus. This could act as a lawful basis for processing personal data.
Processing could also be justified on the basis of Art.6 (1(d) that it is ‘necessary to protect the vital interests of the individual data subject (employee) or other persons (other employees or other people). An employer could also find a legal basis for processing the personal data under Art.6 (1) (f) GDPR where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…” Where an employer relies on this legal basis, he/she should document the ‘legitimate interests assessment’ that has been made.
In certain cases the person’s identity will be needed. For example, authorities may need to interview the employee who has contracted the disease. Recital 46 GDPR states “some types of processing may serve both important grounds of public interest (lawful under Art.6 (1) (e) ) and the vital interests of the data subject (Art.6(1)(d)), as for instance where processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread…” Where the employer shares information, the sharing should be in compliance with GDPR and, most especially, the principles. In many cases employees themselves may fully consent to having their identities made known or they will make it known themselves. If so, in those cases the personal data will have been ‘manifestly made public’.
It is questionable whether the consent of an employee to processing of his /her own personal data would constitute valid consent. It has not been definitively set out in the context of the employer/employee relationship but Recital 43 makes it clear consent is not a valid legal ground “where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority…” GDPRXpert has not found any case law to support the view that an employer/employee relationship would satisfy the ‘clear imbalance test’. Undoubtedly, the average employee could feel pressurised into giving consent. It is something that will fall for future decision on a case by case basis. What is noteworthy is that the reference to a clear imbalance in the context of an employment relationship, which had been included in an earlier draft of the GDPR, was deleted in the enacted regulation.
Health Data Processing
Where data concerning health are involved, the situation changes. As we know there is a general prohibition on the processing of ‘special category’ data, which includes data concerning health. There are a number of exceptions to this broad prohibition, including under Art.9 (2) GDPR and sections of the DPA 2018. These provide potential legal bases for processing health data for the purposes of Covid-19 containment. S.46 DPA 2018 and Art.9(2)(b) permit the processing of health data where necessary and proportionate for the purposes of exercising or performing any right or obligation under Irish employment law – employers are legally obliged to ensure the safety, health and welfare at work of their employees. Specific measures to safeguard the fundamental rights and interests of the data subject (employee) must be taken.
Perhaps the most appropriate legal basis for processing health data is found under Art.9(2)(i) GDPR and s.53 DPA 2018, both of which provide exceptions to the general rule. Here the processing is deemed necessary for reasons of public interest in the area of public health such as protecting against cross border threats to health. Both must be underpinned by law (EU/Member State) providing suitable and specific measures to safeguard rights and freedoms of the data subject (employee). Examples of suitable safeguards would be limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
S.52 DPA 2018 and Art.9(2)(h) GDPR also offer a sound legal basis as both provide, inter alia, for processing for the purposes of preventative or occupational medicine, and for assessment of the working capacity of an employee. Necessity and proportionality are always underlying considerations.
Can employers ask for travel and medical information from employees and from visitors coming to the workplaces of employers?
Employers as we noted earlier are under a legal obligation to protect the health of their employees and to maintain a safe place of work. (Safety, Health and Welfare Act, 2005). There would be justification for employers asking employees and visitors about recent travel, in their efforts to prevent or contain the spread of Covid-19 in the workplace. This would be especially so, where they are worried about any possible travel to Covid-19 hotspots. Employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms. If travel has taken place as part of an employee’s duties then those details are known already to an employer. The question then becomes one of asking about personal travel destinations and the presence of any Covid-19 symptoms.
In Ireland the DPC has given recommendations on Covid-19 and these support the view that it is reasonable to ask an employee such questions. Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. It is advisable to be sensible when asking employees to provide personal information about their likelihood of risk and not to ask for more than you genuinely need.
Out of the 28 national data protection authorities of European Union member states, some 20 EU countries have issued specific guidance regarding COVID-19 and data protection so far. We are beginning to see several core principles emerge from this guidance:
- COVID-19 sensitive personal data, such as medical symptoms and diagnosis, travel history, and contacts with those who have been diagnosed can be processed on the basis of safeguarding public health.
- The fact that an employee has tested positive for COVID-19 can be disclosed, but identifying information about the individual, in particular the individual’s name, should not be disclosed.
- European DPAs have scrutinized if not discouraged or prohibited mass surveillance techniques by data controllers, such as use of questionnaires or temperature checks, other than those performed by health authorities.
- Security measures must still be implemented to protect COVID-19 personal data.
What the foregoing has shown is that some issues around data protection in the context of the Covid-19 pandemic are complicated. The coronavirus pandemic has brought forth evidence of how interpretations of some articles in the GDPR vary within jurisdictions. Member states (MS) have been given some latitude in making changes and additions to the GDPR, but Covid-19 has exposed a lack of consistency in interpretation of portions of the GDPR across the EU. This is something we will look at closely in the future, and as the pandemic expands in a potentially lethal manner globally.
Patrick Rowland, GDPRXpert.ie.
We are GDPR and Data Protection consultants with bases in Carlow/Kilkenny and Mayo, offering a nationwide service.
For more details visit www.gdprxpert.ie