Contact one of our advisors now Call 0800 088 6004

Employers Guide To COVID-19 & GDPR

Reasons to choose Wilson Browne

Not only has the covid-19 pandemic bought about a new way of life, it has also bought with it a new way of working.

This has introduced factors that many employers would not have had to consider prior to the pandemic.  We’ve put together some frequently asked questions that will assist employers navigate their way through the pandemic in line with GDPR regulations.

What obligations are implied on data controllers for the purposes of GDPR?

The following rules must be followed when collecting data by data controllers:

  • The data must be adequate and the data controller must only hold data which is necessary
  • The data must be accurate and up to date
  • The data must be stored safely
  • The data must be processed and protected so not to be unlawfully accessed
  • The data controller must be able to demonstrate that privacy Notices are kept up to date as it is not enough to be compliant

How does an employer find out what data can and can’t be processed?

Employers can find guidance to the lawful processing of data under Ground 6 and Ground 9 of the Data Protection Act.  Ground 6 confirms that the data must be necessary an organisation’s legitimate assessment interests to comply with a legal obligation.  It may be necessary for the performance of a contract.  Ground 9 confirms that you require explicit consent from the employee.  It must be necessary to carry out obligations and privacy notices must be in place.

What is a special category of data?

Special category data is personal data which is likely to be more sensitive and should be dealt with greater care.  Special category data will include holding details on an employee’s health.  Ground 6 and Ground 9 will need to be applied in order to process this type of data.

What rules can the employers follow so that they do not fall foul of the Data Protection Act.

Employers should ensure that they communicate and consult with their employees to confirm why data is being collected.  Employers should carry out Data Protection Impact Assessments and ensure that their privacy notices are up to date.

What is a Data Protection Impact Assessment (DPIA)?

A DPIA will assess the impact of data processing activities on the protection of personal data.  Employers should follow guidance given by the ICO. It is required when processing personal data which is likely to be high risk due to the impact it has on the rights and freedoms of natural persons.

What should a DPIA include?

A DPIA is a living document and should include the following:

  • A description off the intended processing
  • An assessment of the necessity and proportionality of the processing
  • An assessment to the risks of the rights and freedoms of the data subjects
  • Any measures to address the risks identified to be compliant with the GDPR

Can an employer temperature test an employee?

It would be advisable that employers do not temperature test employees as this would be special category data and it is would be difficult to show that it is in the business legitimate interests to hold such data.  An employer would need to comply with Ground 6 and Ground 9 of the data Protection Act.

What if a visitor has a temperature?

Ideally there would be an action plan in place to tell the employee how to deal with this situation.  This should include how the information should be relayed and how the data will be kept to a minimum.

With employees working from home what do employers need to do to make sure they are compliant?

The obligations that were on the employer when employees were working in the office will continue even where employees are working from home.  The ICO provides guidance on this and how best to protect data where home offices have been set up.  Click here for more information.

Can you monitor production levels while someone is working from home?

It is advisable not to use covert monitoring unless for the purposes of a criminal investigation and any monitoring should be overt.

Can you force employees to use the track and trace app?

No you cannot force employees to use the same.

Should an employee become ill from Covid -19 can you tell the other employees?

Under health and safety obligations an employer would need to let the workforce know that someone has tested positive for Covid-19, however they do not need to give the details of who.  In small teams, however, it may be easy to work out who that person is.

If you require assistance with any type of Employment Law you can contact our Employment team on 0800 088 6004.