The Data Protection Act 2018 (DPA) classifies information about an employee’s health as a “special category data”. This means that it can only be processed by the employer in defined and restricted circumstances.
The Information Commissioner’s Office (ICO) has confirmed that it will take a pragmatic approach to enforcement issues in light of the pandemic. It has also recently issued Advice on Testing which confirms that employers can disclose to colleagues that an employee has contracted COVID-19 for example, provided that they do not give more information than is necessary and states that, in most cases, it will not be necessary to name the individual.
Employees must be notified of the infection risk as soon as possible. An employer should simply advise that an employee who has been in the workplace has been infected and that appropriate precautions should be taken.
The NHS COVID-19 app was launched on 24 September 2020 and employers are encouraged to facilitate and support employee use of the app within the workplace wherever possible.
However, it is not mandatory for staff to have the app. It is also difficult to see how an employer can validly require employees to use such an app at all times, including outside of working hours as to do so would arguably infringe employees’ privacy and not be a reasonable management instruction. It is unlikely that it would be reasonable for an employer to insist that an employee uses their own device to download and operate the app.
If an employer wants staff to use an app and intends to process any of the personal data produced through the employee’s use of the app then it will need to have a lawful basis for doing so, and be able to demonstrate compliance with the DPA. This would include being satisfied as to the data security of the app itself.
Employers can use their own internal systems simply to notify of the need to self-isolate where a fellow employee tests positive without using the NHS app.
The situation is even more complicated when it comes to visitors to the workplace however. In England, on 18 September 2020 it became a legal requirement under the Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020 for some employers in certain sectors to keep details of staff and visitors to the workplace for 21 days, in a way that is proportionate, effective and manageable, for the purpose of NHS test and trace.
Under the GDPR, this data will be personal data and may even amount to special category data, depending on the information collected. Therefore, the employer must have a lawful basis for processing the data and be able to demonstrate compliance with the GDPR and DPA. The existence of these regulations means that these employers will be able to rely on compliance with a legal obligation as the lawful basis for processing.
Failure to comply with collecting these details is punishable by a fine of up to £4,000. It is intended for establishments in the hospitality, tourism and leisure sectors as well as to places of worship, facilities provided by local authorities and close-contact services such as hairdressers, in each case where they are providing on-site services (rather than take-away or delivery).
The ICO has updated its Guidance for collecting customer information following the launch of the NHS contact and tracing app.
Customers and visitors can opt out by informing organisations that they do not want their details shared for the purposes of NHS test and trace, because this is not compulsory.
After records have been kept for 21 days they should be deleted or securely disposed of (unless they have also been created for other business purposes and comply with data protection requirements).
Surprisingly, the ICO guidance makes it clear, however, that if an organisation isn’t one of the sectors these rules apply to, they should not be collecting information on visitors ‘just in case’ there is a need to disclose information to a contact tracing scheme. In any event without a lawful basis express consent would also be needed.
A key data protection principle is data minimisation, so personal data should only be collected that is “adequate, relevant and limited to what is necessary”. Mandatory collection and disclosure of customer, visitor and staff data to contact tracing schemes only applies to specific organisations and therefore collecting visitor data just in case is not justifiable according to the ICO. Staff data is a different matter as set out above.