As the UK slowly eases out of the Covid-19 lockdown, organisations might be wondering whether there are any specific GDPR requirements to consider. Here is a GPDP update with some of the issues to consider:
Covid-19 health information
As employees return to work, employers will understandably be asking more health-related questions: do they have any of the symptoms of Covid-19? Have they been tested? What were the results? and so on. Ordinarily, any collection and processing of health data would be considered as sensitive data under the General Data Protection Regulations (GDPR) and so explicit consent from the individual would be required.
Organisations should be aware that there is a carve out in the GDPR which they can rely on. Article 9 of the GDPR has a subsection that allows the processing of personal data without consent if it’s necessary to protect ‘against serious cross-border threats to health’. The current Covid-19 pandemic would almost certainly fall within this category and so organisations would be able to rely on this as the legal basis for collecting and processing such sensitive data without, the need to obtain explicit consent each time.
Nevertheless, be mindful to still apply the usual data protection principles – of confidentiality, data minimisation, purpose limitation and data security.
Working from home
Even though some employees are returning to the office, some organisations may consider that working from home is a sensible and productive option going forward. If that is the case, then organisations need to ensure data protection is kept in mind. Consider the following:
- Security checks on employees’ laptops/remote working facilities.
- Secure use of video conferencing facilities – check privacy settings and consider using passwords for meetings and restrictions on screen sharing.
- Ensure employees use any hard copies of materials/print outs in a data safe way. Locking away confidential papers should be promoted as good practice and you may wish to consider arrangements for the collecting and shredding papers as necessary.
- If employees are using their own personal laptops at home, they should be encouraged to store any work data in a separate place from their personal files on their laptop. This will help reduce data breaches and will ensure that data retention requirements can be met.
- Obviously, the use of strong passwords and latest software versions should be encouraged.
Despite these unprecedented times, organisations should continue to apply the principles set out in the GDPR:
Processing should be lawful, fair and transparent; data subjects should have a clear understanding of what personal data is being processed about them and why it is being processed.
Remember these key principles when (i) employees are returning, (ii) health information/testing is taking place and when (iii) considering the continual use of working from home facilities.