As our Health Authorities continue testing and tracing for COVID-19, many employers have had to face a new reality of having a number of employees in mandatory quarantine and, having to implement measures to protect the safety of employees at the place of work, effectively leading employers to potentially process employee health data.
The processing of health data amounts to processing of special category data under the GDPR and requires an extra layer of protection due to its sensitive nature.
Employers processing health data must always ensure that processing is lawful, fair and transparent and complies with all principles and requirements under the GDPR. To ensure that processing is lawful, a ground for processing under Article 6 must be identified. In addition, employers may only process special category data if one of the specific conditions under Article 9 of the GDPR is met.
Is it appropriate to use temperature checks as part of ongoing monitoring of staff?
Employers may carry out such checks but should not be keeping logs linking employees to temperature readings. In so far as no records are kept, in hard or soft copy, by the devices used to measure temperature or in manual form by the employer, such temperature measurement would not fall within the scope of the GDPR.
Employers should, in line with the principle of transparency, explain the rationale behind the screening and provide clarity at the outset to employees as to what decisions will be taken on the basis of the temperature reading. A policy detailing the screening protocol and the confidentiality and security measures implemented is recommended.
Furthermore, if such screening is introduced on a mandatory basis, it is crucial to ensure that such screening is carried out for all employees without distinction.
Can employers keep relevant records and documentation of employees who either have symptoms or who have tested positive for COVID-19?
Should an employer need to process employee health data, the employer must ensure that the processing of such data is both necessary and relevant for the intended purpose. Employers must also ensure that the processing of such data is secure and must also contemplate any duty of confidentiality owed to employees.
The processing of such data must be :
- adequate, in that the processing suffices to fulfil the stated purpose;
- relevant, in that the processing has a rational link to that purpose; and
- limited to what is necessary, in that no data further than that which is required for that purpose is processed.
Privacy law also requires that any personal data processed is accurate. Relevant dates linked to health data ought to be processed as the health status of individuals may change over time and such data may no longer remain valid.
Employers should have a clear and accessible privacy policy in place for employees, before any health data processing begins.
Can I share the fact that an employee has tested positive with other employees?
As an employer, it's your duty to ensure the health and safety of all your employees. You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues and take the required protective measures. However, you should avoid naming individuals if possible, and you should not provide more information than is necessary. If circumstances require the name of the employee concerned to be revealed, such as in a preventive context, the concerned employee is to be informed in advance and their dignity and integrity is to be protected.
Originally published 5th June 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
