Privacy at the workplace in the wake of COVID-19

As COVID-19 related restrictive measures are being lifted and employees start returning to work from the office premises, employers may be considering introducing certain COVID-19 related measures and controls to ensure the safety of your staff.

Here are some general pointers which you as an employer should find useful.

General principles

COVID-19 related measures and controls introduced at the workplace to ensure the safety of staff will most likely involve some form of processing of employees’ personal data. Health-related personal data is considered a special category of data (i.e. “sensitive personal data”) under the GDPR and, as such, needs to be handled with added caution and care. However, it is important to bear in mind that the GDPR and Data Protection Laws generally do not prevent employers from taking steps necessary to keep employees safe as long as the steps taken are in line with Data Protection Laws.

Transparency is a key factor in the lawfulness of any data processing that is undertaken. If the employer is going to process any personal data for COVID-19 related measures, they should ensure that said processing is covered by a Privacy Policy which has been previously properly communicated to employees.   The employer may also wish to consider whether a Data Protection Impact Assessment (DPIA) is required and if certain company-wide data protection documentation (such as, but not limited to, the Data Retention Policy) may also require updating.

Furthermore, any personal data processing function should be based on lawful grounds under the GDPR. As any health data is considered a special category of data, employers should consider that the lawful grounds in this regard are different.   Employers should also consider the “Data Minimisation” principle, and thus ensure that they collect the minimum amount of personal data required to perform the safety measure they wish to introduce. Any personal data they collect must be adequate and relevant to the stated purpose, and be immediately deleted (or not even stored if possible) once the purpose of collection has been fulfilled. Confidentiality and security are always key, but especially in this case as one is dealing with sensitive data.   It is important to keep in mind that lawfulness of collection of personal data does not necessarily translate automatically into lawful storage and sharing.

Common queries

Below is some generic information on common queries that arise in relation to COVID-19 measures safety:

An employer keeping lists of employees who either have symptoms or have been tested as positive

Such a list may be kept as long as it is kept confidential, a lawful retention period is set for it and is otherwise kept in accordance with applicable laws.   An employer must ensure that such a list does not result in any unfair or harmful treatment of the employees in question.

Relationship with the Staff

Transparency is key in the employer’s relationship with the employees.   The employer must ensure that it has previously communicated a Privacy Policy setting out in a clear, open and honest manner all personal data processing that will be undertaken. It would also be helpful to provide employees with the opportunity to discuss the collection of their personal data if they have any concerns.

Sharing with other employees the fact that an employee has tested positive

Employees can be kept informed about potential or confirmed COVID-19 cases amongst their colleagues.  The employer should however avoid specifically naming the affected individuals. An employer must not provide more information than necessary to its employees.

Sharing with authorities the fact that an employee has tested positive

Where lawful to do so, data protection laws should not be viewed as a barrier to sharing data with authorities for public health purposes, or even with police authorities where necessary and proportionate.

Ongoing monitoring and the use of thermal cameras and or other thermal checks onsite

Any monitoring of employees needs to be necessary and proportionate, and aligned with the employees’ reasonable privacy expectations. Employers should also think about whether they can achieve the same results through other, less privacy intrusive, means. If so, then the originally-envisaged monitoring will not be considered lawful. Furthermore, the legality of such processing functions should be carefully reviewed.

Article by Mr Stefan Briffa.

GTG Advocates has specialised and in-depth knowledge of data protection, especially where it intersects with technology.   For more information or assistance, please contact Dr Ian Gauci, Dr Terence Cassar or Mr Stefan Briffa.

Disclaimer: The information above is not intended to impart any legal advice. You are urged to seek verification of any statements below before acting on them. Naturally, we would be more than happy to advise in respect of any data protection need that you may have.