It may also involve the processing of highly sensitive information about your staff and people connected to your staff (such as their household and family members). The aims of maintaining the health and safety of workers and taking steps to protect the economic interests of businesses are, understandably, of critical importance. However, it is also important that the principles of data protection and the rights of individuals remain respected when attempting to achieve these aims. This is particularly important when the personal data involved consists of special category personal data.
Special category personal data includes information about physical and mental health and is generally afforded some of the highest levels of protection under UK data protection law.
The checklist below is written from a General Data Protection Regulation ('GDPR') and Data Protection Act 2018 ('DPA 2018') perspective; it highlights some of the key data protection requirements that businesses should take account of when planning for their return to work.
- Identify and document COVID-19 data processing activities: Your response to COVID-19 and returning to work may involve the processing of new personal data for new purposes, existing personal data for new purposes and/or new personal data for existing purposes. In order to understand the risks such processing may cause to your organisation or to the individuals that are identified by the personal data, your COVID-19 processing activities should be identified and documented.
- Provide appropriate information to workers about how their personal data will be used for COVID-19 data processing activities:
- Transparency about the processing of personal data is a central pillar of data protection law.
- You should consider what you have previously told workers about how you will use their personal data and whether additional notice is required to cover your COVID-19 data processing activities.
- If you are also processing personal data about people connected to your staff, such as household and family members, consider what obligations you may be under to provide them with notice about your processing activities.
- Assess which lawful grounds your COVID-19 processing activities will be based on:
- Personal data must not be processed without a valid lawful basis, and if special category data are being processed (e.g. for temperature checking or understanding if someone has had or is showing the symptoms of COVID-19), more restrictive lawful bases for processing will also need to be satisfied. Lawful grounds that may be applicable under the GDPR include that processing is necessary for the legitimate interests of the organisation controlling the personal data (or a third party) and that processing is necessary for the performance of a task carried out in the public interest (see Article 6(1)(f) and (e) GDPR). For processing special category personal data, relevant lawful grounds include that processing is necessary for carrying out obligations and exercising rights in the field of employment (see Article 9(2)(b) GDPR and Schedule 1, condition 1 of the DPA 2018).
- It is important to note that defaulting to consent as a ground for processing personal data is unlikely to be an appropriate solution in the employment context. This is due to the potential imbalance of power between employer and employee making it difficult for consent to be considered 'freely' given (which is one of the prerequisites of valid consent under the GDPR).
- Review the personal data being collected to keep it to a minimum and set retention periods for the data: The personal data you collect should be kept to the minimum that is necessary to satisfy the purpose of the COVID-19 processing activity. You should also, where possible, set retention periods for the data so that it is not kept for longer than is necessary.
- Consider how you will respond to the increased exercise of data subject rights:
- The GDPR provides a number of rights to individuals, including the ability to access their personal data.
- Despite the strain on resources that may be caused by COVID-19, businesses must continue to comply with subject rights requests. In the event that COVID-19 related changes to working arrangements become contentious, there is also the potential for organisations to receive an increased number of subject rights requests.
- Consider whether you have the right measures in place to handle rights requests as your organisation returns to work. For example, can you still easily access the personal data the business controls (is the answer the same for personal data held by remote workers or on personal devices), do you have the people or technology available that you would usually rely on to find and locate personal data and assess a request, could you handle a potential influx of subject rights requests, will you need external support (and is that external support itself impacted by COVID-19)?
- Review whether your data security measures are suitable for your new working arrangements:
- As we see a relaxation of lockdown restrictions, many organisations will continue to heavily rely on remote working or even move towards remote working as a go forward state. Organisations may also look at what new technologies (such as temperature checking technologies) can be deployed to help maintain a safe working environment. Against this backdrop it is important to ensure that your physical and cyber security measures are appropriate for your new working arrangements.
- Consider whether your security controls are sufficient for a remote working environment. Questions to ask yourself include: do you need to security assess the new tools that you have or will rely on for remote working, what security measures need to be in place to secure staff personal devices, are staff now more likely to move between home and remote locations with information assets and, if so, what risks does this create, what processes need to be put in place for the disposal of physical (including paper based) assets when staff work on a remote basis, will you need to assess homeworking environments for security threats, and what guidance, training and awareness is required to ensure your staff are appropriately informed and understand remote working security risks and their responsibilities?
- If you are using new technologies to monitor or trace employees in relation to COVID-19 symptoms, it will be important to ensure that appropriate technical and organisational measures are in place to secure the data they process. Before adopting any new technology, you should determine the security requirements it must meet. You should assess the technology and any associated vendor or service provider (who may have access to personal data processed through the technology) against those requirements.
- It is also important to consider whether your existing approach to breach detection and reporting appropriately takes into account a remote working environment and any new technologies you deploy.
- Undertake privacy impact assessments for the adoption of new technologies, profiling and other processing operation using health data or for monitoring or making significant decisions about workers:
- COVID-19 data processing activities are likely to carry privacy related risks for businesses and workers. Appropriate assessment of those risks and a subsequent understanding of how to mitigate those risks and any legal requirements associated with them is essential for businesses.
- It is advisable, amongst other triggers, to conduct a privacy impact assessment where COVID-19 processing activities involve the:
- processing of personal data using new (innovative) technologies e.g. tracing apps;
- processing of special category personal data (including health data);
- profiling of workers or other processing operations to make significant decisions about workers; or
- monitoring of workers (e.g. at home or to track their location).
Depending on the exact nature of the processing activity, a formal data protection impact assessment may be required under the GDPR.
- Review whether your COVID-19 processing activities are resulting in new international transfers of personal data:
- Your return to work approach may involve new transfers of personal data outside of the country that workers are located in. For example, there could be new transfers of personal data to a central HR team or to a COVID-19 response team that is in another country.
- Where new international transfers of personal data are taking place, they should be assessed against the restrictions in the GDPR on transferring personal data outside of the European Economic Area. The assessment should consider whether the transfer is covered by any existing transfer mechanism that you have in place (e.g. Binding Corporate Rules) or whether new transfer mechanisms (e.g. Standard Contractual Clauses) or other grounds under the GDPR need to be put in place to permit the transfer.
- Undertake appropriate due diligence of third parties: To the extent your return to work strategy may involve personal data being processed by a third party (whether that is a third party technology service provider or support from another part of your group), you should ensure that they are subject to appropriate vendor due diligence and, where necessary, a data processing agreement is in place with them that provides sufficient guarantees with respect to the safeguarding of personal data in accordance with the GDPR.
- Assess the circumstances under which you will disclose information about affected individuals: Develop a policy for if, when and what information you will disclose to staff members or other third parties (such as public authorities) about affected individuals.
- Consider who may adversely scrutinise your COVID-19 processing activities and address the risks they pose:
- A range of adverse scrutineers may eventually review the decisions you take with respect to COVID-19 data processing activities. These include data protection supervisory authorities, workers, their legal representatives, shareholders and works council/trade unions. Adverse scrutineers can even include external threat actors such as criminal organisations running COVID-19 related phishing scams to gain credentials or other information from workers.
- Trying to view your COVID-19 data processing activities through the eyes of your adverse scrutineers is an important risk mitigation strategy. It can allow you to identify risks that have a greater chance of being realised or the greatest impact on your operations and prioritise them for a response.
- For example, understanding relevant supervisory authorities' position on certain processing activities (e.g. medical testing) can allow you to develop your return to work strategy accordingly in their jurisdiction; and understanding the concerns of your staff and their expectations with respect to the handling of their personal data, can help you develop data processing activities that are least likely to be seen as contentious by them.
- Document your decision making and maintain accountability:
- The GDPR requires that organisations are able to demonstrate their compliance with its requirements. During the COVID-19 crisis and your return to work, maintaining a clear and comprehensive audit trail of all privacy-related analysis and decision-making will be essential. This will not only help address the GDPR's accountability requirements but will also help demonstrate how you reached decisions (if you are subject to adverse scrutiny).
- Example documentation includes that which is formally required under the GDPR (such as privacy notices, data protection impact assessments and records of processing activities) and appropriate policy documentation as required under certain circumstances under the DPA 2018 (e.g. when processing health data for employee health and safety purposes). It can also include the policies and documented procedures that you update and create in response to COVID-19 data processing (such as updates to IT security policies, procedures for collecting COVID-19 health information from staff and new data protection training materials).
To conclude, the ideas described in the checklist above revolve around 4 key concepts. These can be described as:
1) Identify – how the return to work will change or bring in new ways of processing personal data;
2) Analyse – the data protection risks and requirements that are relevant to the changed or new ways of processing personal data;
3) Mitigate – the risks that are identified (doing this on a prioritised basis); and
4) Document – your decision making and the policies and procedures you develop.
Addressing these four concepts should help put your organisation in a good position to address future scrutiny of your COVID-19 processing activities, particularly if attitudes that may favour processing now change in the future.
If you need assistance with anything contained in this note please contact DWF's Data Protection and Cyber Security team.
If you would like to understand what your business needs to consider from a health & safety perspective please view our health & safety checklist >
If you would like to understand what your business needs to consider from an employment perspective please view our employment checklist >
Webinar recording: Managing your workplace post-lockdown
As the UK prepares for a "new normal" and the relaxation of lockdown restrictions, our data protection, employment and regulatory experts guide you through how to get back to business safely. View the recording >