Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
Find up-to-date guidance on points of law and then easily pull up sources to support your advice with Lexis PSL
Check out our straightforward definitions of common legal terms.
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Access our unrivalled global news content, business information and analytics solutions
Insurance, risk and compliance intelligence using big data, proprietary linking and advanced analytics.
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Discuss the latest legal developments, ask questions, and share best practice with other LexisPSL subscribers
As lockdown restrictions are starting to ease, many companies are gearing up to welcome their staff back to work. Obviously protecting employee health and safety is paramount, but what measures can organisations reasonably take to support their return to work efforts? And how do they ensure that data protection laws are complied with when more sensitive personal data, such as health data, is collected.
This article follows on from our previous FAQs on the data protection aspects of COVID-19 which includes links to guidance in more than 40 countries – www.bit.ly/gdprvirus. There are some data protection specific terms in this note which are explained at www.bit.ly/gdprwords.
Governments in different countries have now issued guidance on returning to work. For example, the UK Government has published guidance which outlines five steps to working safely, namely:
They also provide guidance for different sectors of work (factories, offices; shops, vehicles etc.).
Similar guidance has been issued in other countries although with some differences – for example guidance in Germany suggests the safe distance is 1.5m.
As a reminder, health data is special category data under GDPR Article 9, and requires one of a number of specific exemptions to be met in order for it to be lawfully processed. The main way to legitimise the handling of health data, which is likely to be relevant to workplace testing, is processing for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment (GDPR Article 9(2)(b) together with Schedule 1, condition 1 of the UK Data Protection Act 2018).
This is subject to a necessity test, which means the processing must be necessary to the relevant purpose being fulfilled – it is not enough that a specific way of processing might be convenient if other less data protection intrusive alternatives are available.
Some employers seem to be seeking to rely on a data subject’s consent but in an employee / employer context consent could be problematical (essentially because of the inequality of bargaining power) and it can be withdrawn. As a result consent will not always be the best solution unless you can provide a genuine alternative.
Ultimately, you will need to assess the relevant legal basis that best suits the specific back to work scenario you are facing on a case by case basis.
Some regulators have released specific guidance. For example in the UK the ICO has released guidance on workplace testing – there’s a link to this guidance below. It is important to remember that for EU countries, whilst GDPR sets out a basic framework, local law can differ even within the EU. It is also important to stress that guidance from regulators is just that – we can expect to see litigation and the courts may not follow any guidance which has been issued by a regulator. For example an employee disadvantaged as a result of data processed relating to their health may well try litigation alleging that data processing was unlawful. Organisations need to gear up for the more frequent exercise of subject access requests under GDPR too. There is a special risk of exercise of GDPR rights from employees who have been furloughed or let go.
If you’re using a third party or an app to help you, make sure you’ve done proper due diligence on the provider too. As we said in our alert in March, a number of start-ups are pitching solutions which may not be as good or as secure as they seem. If you are using a third party or app, you will also need to look at your transparency obligations under GDPR too – that’s likely to include disclosing who the provider is, where they will host data, what they will do with it and how long they will keep it for.
Some jurisdictions (for example parts of Germany) ban temperature checks. In others, temperature checks are only likely to be justified when all other reasonable less intrusive means have been exhausted and it is a proportionate response to the risk you are trying to address. For example, you would need to have already explored measures such as:
On this basis, it seems likely that temperature checks would only be able to be used on staff who cannot feasibly work from home, where the nature of the work that they undertake means that being in close proximity to others cannot be avoided and if one person is infected there is a high risk of them infecting many more people.
This issue of proportionality was also explored in the slightly different context of biometric fingerprinting by the Dutch DPA, which fined a company €725,000 in April for unlawfully processing fingerprints of its employees for attendance and time registration purposes.
This might be an area where guidance differs between countries and so you may need to take a look at the relevant law and guidance in those countries where you have operations.
The Italian DPA has said that Italian companies cannot directly perform COVID-19 diagnostic tests on employees. However, an organisation can ask its employees to carry out those tests if ordered by a competent doctor or healthcare professional. In addition, the processing of employee diagnostic data or family history to assess return to work can only be undertaken by competent healthcare professionals and not by the companies themselves.
In the UK the ICO has not been as prescriptive but it makes sense that diagnostic tests should only be undertaken by medically trained personnel and processed in laboratories with industry-approved testing standards. The ICO has also said that, where staff provide test results voluntarily, those results would need to be kept secure and you would need to consider any duty of confidentiality owed to those individuals who have provided test results.
An employer would generally be justified in requesting health data relating to a staff member having a condition that puts them at greater risk of becoming seriously ill in order to assess if that person can safely return to work. However, it may be reasonable to ask employees to confirm if they have any of certain listed underlying conditions, rather than making them specify which one.
The organisation may already hold some information about employees’ serious underlying health conditions, for example, in case they require special adjustments or something happens to them at work and they need medical treatment or for company-run health insurance schemes. The question then becomes whether use of health data that the company already holds for those purposes can also be used for purposes related to their return to work. In line with the “purpose limitation principle”, this will require an assessment as to whether further processing is compatible with the original purpose for which the data was collected. If not, it may be necessary to obtain consent to use the data for any further purposes.
You’ll also need to be sensitive about how you collect this data. For example if you are using technology designed to assess likely risk at the entrance to a building (such as arches or Rokid detection devices) you will need to make sure that employees are not forced to share their personal data where they can be overheard by co-workers and others in a queue to enter the building.
In our view, it is unlikely to be reasonable for organisations to force staff to participate in any government track and trace programme (which itself will be voluntary), nor could staff be forced to share track and trace app data with their employer. Whilst organisations could encourage staff to participate, this would need to be entirely their choice and they should not be penalised if they do not participate. Any communications about this would need to be carefully worded.
Many organisations are looking at a gradual return to work with some employees staying at home. It’s important to remember that for those employees still at home you’ll still need to make sure that personal data continues to be protected, employees are told how to avoid phishing attacks etc. There’s some guidance on that in our earlier alert here www.bit.ly/gdprvirus. Now might be a good time to review any earlier assessment of risk to make sure your risk assessment is still valid and to see if extra measures are justified given that working from home for some (especially those who are vulnerable) is likely to continue for much longer than some may have originally envisaged.
Some organisations are requiring employees to sign hygiene declarations promising that they will wash their hands regularly and adopt additional hygiene measures. Again organisations will need to exercise caution when implementing such a system and will need to pay attention to the tone of these messages and the system they plan to use. A DPIA is likely to be required. If the data is held electronically they will need to look at where the data is held to avoid data transfer issues. In some cases prior consultation or notification to a works council may also be required. Care must also be taken not to unintentionally vary employment contracts especially at a time of extra sensitivity for employees.
We are already seeing anecdotal evidence that helpline calls are rising with employees raising concerns about the behaviour of others in the workplace. Some of these concerns are likely to be genuine and are likely to require investigation. We have written about the heightened corruption risks business currently face for example here https://bit.ly/covbribe. Organisations will need to be careful however about employees raising more trivial concerns. Some jurisdictions (including France and Germany) require helplines to be focused on key areas of possible harm. Employees with more minor concerns should be encouraged to raise concerns with their line manager rather than a whistleblower line.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
The UK Government guidance is here – https://bit.ly/3eJxywZ
The UK ICO’s guidance mentioned is here https://bit.ly/2Bo8SM9
Details of the Dutch case on biometric data are here https://bit.ly/3eIxbTx
There are links to guidance in more than 40 countries in our original alert here www.bit.ly/gdprvirus
BSI has published draft safe working guidance which might be useful – https://bit.ly/36WzjUZ
For more information please contact Katherine Eyres or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Free trials are only available to individuals based in the UK
* denotes a required field
Jonathan is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan has counselled a range of clients on breach prevention, mitigation and response. He has also been particularly active in advising multi-national corporations on their response to the UK Bribery Act 2010 and its inter-relationship with the U.S. Foreign Corrupt Practices Act (FCPA).
Jonathan is one of three co-authors of the LexisNexis definitive work on technology law, “Managing Risk: Technology & Communications”. He is a frequent broadcaster for the BBC and other channels and appeared on BBC News 24 as the studio guest on the Walport Review.
In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing. He has spoken at conferences in the U.S., Canada, China, Brazil, Singapore, Vietnam, the Middle East and across Europe. Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology, risk and governance matters for more than 20 years. In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK. Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica in their 2016 Data Security Top 100 Influencers and Brands Survey.
Jonathan is a Solicitor of the Senior Courts of England & Wales. In addition Jonathan is admitted as a Solicitor (non-practising) in Ireland.
0330 161 1234