COVID-19 Pandemic
Since 31 December 2019 world has fought relentlessly with COVID-19 disease which is caused by the coronavirus. Once the disease turned into a pandemic, which was first seen as an outbreak from Wuhan, the People's Republic of China then spread expressly throughout the globe. Since then; every country has worked tirelessly to prevent the pandemic from accelerating any further.
With the vaccination, the process occurs to prevent losses of millions of lives, the statistics of how many people had already been vaccinated or survived after the disease gained importance in the eyes of many countries as well as employers around the world who try to prevent the transmission of the virus in the workspaces.
Usage of COVID-19 Data
Regarding employers; creating statistics and using the data of vaccination and tests become crucial. As many countries' information offices dealt with how to manage these data. The need has arisen from storing process to actively using this data to ban certain people from getting into the premises of the workplace. ICO was also made certain explanations regarding how should employers collect, store and use these data and how the process should be handled aligning with UK GDPR. ICO enlighten these process by identifying the data as; COVID-19 symptoms, vaccination and tests info.
According to ICO; certain questions must be asked to an employer to identify the legal reasoning of processing such data. In this context; the employer need to consider,
- how the collection of extra personal info might help to keep the workplace safe,
- is it a necessity to collect such info,
- the test that's been considered would guarantee a safe environment and most of all
- can the result be achieved without the collection of such info?
The employer should keep in mind these questions and be able to answer them to obtain such data. If the employer can address these issues with the approach of reasonable, fair and proportionate to the circumstances then the data processing would not be groundless and align with UK GDPR.
Reasonable, Fair, Proportionate Process of Sensitive Data
ICO also advise that; if these data would be collected then an employer should collect only the information needed to implement their measures appropriately and effectively. To achieve data minimisation; the data that is processed should be adequate; which sufficient to properly fulfil the stated purpose, relevant; which contain a rational link to the purpose and limited; which is necessary so employers would not hold more data than the need of the purpose.
When an employer would like to carry out workplace tests; to check whether the staff have symptoms of COVID-19 or the virus itself then according to ICO; the employer still needs to comply with UK GDPR and the Data Protection Act 2018 since this type of data is related to health and sensitive itself as classified special category data. As a result; this data must be handled lawfully, fairly, transparently and because the classification category requires additional safeguards employer must form these safeguards. If the employer can not specify the use of this data but record it on a 'just in case' basis or can achieve the result without collecting this data then the justification of this collection would not be performed.
If the employer would like to collect these data based on 'just in case' then the employer should be conducting only a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it. If this conducting process is performed by checking the documents digitally such as by scanning the QR code displayed on the pass then this type of checking would constitute processing of personal data even the employer did not keep a record of it. Therefore the UK GDPR would be applied. If the employer would make a record of this data whether occurred by conduct visual or digital checks, then the employer would be processing personal data. Therefore the UK GDPR would be applied in this case too.
Processing under Public Health or Employment Condition
If the employer would like to process such data collected from employees or customers then either this data processed under the condition of employment or public health. The employment condition determined in Article 9(2)(b) along with Schedule 1, Part 1(1) of the DPA 2018. The public health condition determined in Article 9(2)(i) and Schedule 1, Part 1(3) of the DPA 2018.
If the employer intends to rely on the public health condition then must ensure that; either a health professional carries out the processing or tell people that treating their COVID status as confidential and would only disclose it in clearly defined circumstances. In such cases; getting the consent of the employee is rarely appropriate because the employment setting concludes the imbalance of power between the employer and employee. Similarly, in the cases that the employer would be getting consent from the customer is unlikely to be appropriate since checking a COVID pass is a condition of entry to the premises or workplace. As such; the situation is considered as unlikely for the consent to be 'freely given' in these circumstances. If the employer identifies either the employment or the public health condition as a condition for processing special category data and meet the Schedule 1 obligations then do not need the employee's separate consent to receive test results.
Data Minimisation
While requesting such data; the employer should ask for the minimum amount of data necessary for the purpose. Such as; if an individual has a clinically approved exemption status then the employer should not be routinely requesting further information regarding the clinical reason behind the exemption. The employer should also take into account that accepting the offer of a vaccine is a personal decision, which could be influenced by several factors. If the employees work somewhere where they are more likely to encounter those infected with COVID-19 or could pose a risk to clinically vulnerable individuals then these factors could form part of the justification for collecting employee vaccination status. However, if the employer only keeps on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information. Another aspect of the usage of this data is that not lead to any results as such an unfair or unjustified treatment to employees or other cases customers or visitors. The type of collection process also should be handled delicately.
According to ICO; 'just in case' basis If you are only conducting a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute 'processing'. The activity would therefore fall outside of the UK GDPR's scope. Regarding taking a temperature on the other hand since constitutes using a digital thermometer involves the processing of personal data even if the employer would not record any information. Employers should be alerted that this data is health data which falls under the special category data.
Since COVID-19 is a notifiable disease, employers must inform public health authorities when there are two or more cases confirmed as it constitutes an outbreak. Employers should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues but should avoid naming individuals.
Conclusion
In the UK; the employer should handle the data concerning COVID-19 with care. Those data aforementioned are specified as health data so categorized as sensitive data. Data minimisation, data processing conditions of employment and public health also consent issues should be addressed before processing such data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.