If you are a small business owner or HR practitioner who views the ongoing COVID-19 pandemic as a potential legal minefield when it comes to data, it seems unlikely you are alone.
There are many legal questions pertaining to managing a workforce during the pandemic, and so in this blog, we offer some concise answers to many of the common legal questions which COVID-19 has thrown up.
Q: Which are the biggest General Data Protection Regulation (GDPR) risks during COVID-19?
A: As an employer, there is a good chance you will have placed staff on furlough or asked them to work from home.
Because employees are working in new ways, this will lead to data being accessed and used by new means.
Consequently, there could be an increased risk of GDPR regulation breaches, which requires vigilance from employers.
The best way of approaching these new circumstances is to follow guidelines which adhere to GDPR regulations, abiding by the same principles involved in working from a physical workplace.
Q: If one of my team may have contracted COVID-19, should I tell their colleagues?
A: There are only limited circumstances under which you would tell an employee's colleagues that they may have contracted the virus.
This would be when there is a genuine possibility that they may have come into contact with the colleague in question.
Informing team members would be an important part of the duty of care which employers are obligated to provide, but it would not typically be necessary to disclose the identity of the team member who may have contracted the virus.
Q: Can I collect information from my team pertaining to COVID-19?
A: Only if there is a genuine need to do so, and if it is lawful under laws for data protection.
Current data protection regulations can be used as a guide when considering whether you should collect and retain information from employees related to COVID-19.
Such information would typically be collected only in order to protect employees or customers from the risks presented by the virus.
Q: Which data risks does homeworking present?
A: The ability of your team to work remotely should not be compromised by data protection.
In general, it makes sense to implement the same data security measures that you would have in place at work.
There are unique considerations which working from home present, and you should be sure that your team is aware of best practices when it comes to safeguarding data against, for example, phishing attacks, devices being used by unauthorised parties, and storage of physical documents at home.
Q: Can I force an employee to have a COVID-19 test?
A: In general, it is illegal to require a member of staff to undergo a medical procedure, but in unique circumstances such as the current pandemic it could feasibly be viewed as necessary.
Whether requiring a worker to take a COVID-19 test is viewed as justified is likely to come down to the nature of their role.
If their job description involves dealing with vulnerable people, it could be vital that they are tested when such tests become available.
Q: Should I allow employees to use their personal devices for home working?
A: There is no reason why personal devices such as laptops and smartphones should not be used for home working, so long as the right steps are taken to safeguard data.
The way in which you are using personal devices as a company will naturally influence your security considerations.
You might like to consider steps such as device encryption and more secure cloud storage which employees can access in a safe manner from their personal devices at home.
A data protection policy which addresses all prevalent risks will be central to your approach, and this will need to be communicated effectively.
Q: Can I ask for information relating to my employees which are held on contact tracing apps?
A: This relates to article 9 of the GDPR regulations, as it applies to a special category of employee data.
You might be able to require an employee to use an app, and have access to data held on it, especially if you, the employer, own the device which is being used.
A reasonable purpose for doing so is to ensure that an employee is not posing a risk to others on your team.
One way of approaching the matter would be that employees with the app could declare that they have not been at a near enough distance of an infected third party to be considered risky.
At the time of writing, only a beta contact tracing app has been produced in the UK - the government and ICO are expected to issue further guidance pertaining to employee data once the app has been rolled out further.
Q: Can I share an employee's information with authorities if the information is health related?
A: Yes, so long as the data you are sharing with the government, or other relevant authorities, can be beneficial to public health.
This is because health information is regarded as a special category of data, relating to the GDPR regulations article 9.
In the regulations, these situations are defined as "where processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health".
Q: Am I liable as an employer if my employee breaches GDPR regulations when processing data?
A: This looks likely to be the case, if you, as the employer, are the acting data controller.
Attention should be paid to the employee's particular conduct, and whether they were carrying out an ordinary duty, or acting on their own initiative.
We hope we have covered some relevant questions relating to data protection during the COVID-19 pandemic.
Do you have any questions on employment or data law?
Speak to the experts at Neathouse Partners. Call us today on 01244 893776.