As the world slowly returns to normalcy and businesses start opening their doors again, the risk of COVID-19 spreading is greater now than during earlier containment periods that we experienced at the beginning of the year. Consequently, employers will have a greater responsibility for ensuring that workplaces are safe and employees or visitors are not exposed to unsafe surroundings or practices.

One way to create a safer working environment and reduce exposure to COVID-19 is by collecting and processing relevant data, for instance data that would facilitate contact tracing if need be. To this effect, the Ministry of Industry, Trade and Cooperatives has published Guidelines for Business Operations during COVID-19 (the Guidelines), which mandates employers to collect health-related data of their employees and personal data of visitors.

In view of the Guidelines, employers and owners of premises should ensure that at all times, any data collected is in compliance with the Data Protection Act 2019 (the Act).

What data is to be collected and processed?

In light of the Guidelines, employers and owners of premises are likely to collect and process the following categories of data:

  • Personal data (please click here for a refresher on what some of the terms under the Act mean).
  • Health data, which includes data that relates to the physical or mental health of the data subject and includes records regarding the past, present or future state of the health of the subject.
  • Sensitive personal data, which includes biometric data and data revealing a person's health status.

How does the Act apply?

  • Employers need to make sure that employees and visitors are informed as to the purposes of processing, as well as the legal basis for this, and other requirements under the Act.
  • The information collected should only be what is necessary for the employer to fulfil a specific purpose (for example, ensuring the health of your employees and visitors). Ultimately, if it feels excessive then it probably is. For example, do you really need to record the temperatures of employees or visitors?
  • Retain the information only for as long as is necessary to enable you to identify the risks and to take action as required. Shred or delete the information if it is no longer needed. Check your security safeguards (remember, a lot of this information is recorded manually in physical register books). This is necessary not only to protect the information you collect but also because of the risks related to the increasing number of employees working from home.

What to check

  • Revisit your privacy notices - both for employees and for visitors - to ensure they comply with the Act.
  • Refer to our Return to Work Pack (click here for further information).
  • Consider doing a data protection impact assessment. This will assist in demonstrating your accountability and compliance with the Act.
  • Contact a member of our Data Protection team for more information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.