The Return to Work: Privacy issues in the ‘new normal’
Most jurisdictions are working on plans to end, or at least ease, the current lockdown. For many businesses that means planning for their employees to return to work.
However, this will not be a return to normal. Businesses will need to implement different working practices to ensure the health and safety of their workforce and prevent further Covid-19 infections. We consider the privacy implications.
What will a return to work involve?
A return to work will require business to address a whole range of issues. Some of these will be practical such as implementing social distancing measures at work, providing PPE and ensuring regular deep-cleaning of facilities. This might require significant changes in working patterns such as staggered working hours or a phased return to work. Similarly, this will raise difficult HR issues. For example, businesses will need to make arrangements for employees who are particularly vulnerable to infection and consider how to manage employees who refuse to return to work.
The implications of a return to work will vary greatly depending on jurisdiction and sector. Some governments have mandated strict measures to combat the virus or have sufficiently reduced the infection rate to already allow most businesses to return to work. Similarly, different businesses face different levels of risk and challenge depending on whether their employees work in an office, shop, farm or factory floor. Some of the riskiest businesses, such as healthcare providers or supermarkets, never entered lockdown in the first place.
All of this means that there is no ‘one-size-fits-all’ approach and every business will need to plan based on their own particular situation. This article focuses on the position in the EU under the GDPR.
Keeping infection out of the workplace
The starting point for most businesses will be to try and keep infected individuals out of the workplace and thus prevent others from being infected. This includes not just employees and contractors but also customers and suppliers, and reflects the business’ duty to provide a safe working environment.
A range of solutions can be used to achieve this aim, for example:
- Communications and culture: The starting point is to reinforce existing Government guidelines that individuals who think they may have been infected should stay at home and isolate themselves. However, many employees might still want to come into work to protect their job in the current, difficult, economic environment. This means it is also important to engender a culture in which employees understand this is not acceptable because of the risk to their work colleagues and others.
- Questionnaires: One way to more systematically identify individuals at risk of infection is to issue them with a questionnaire. This reminds individuals of the importance of isolating and ensures that those individuals have used a proper and systematic process to assess the risk they might be infected.
However, this is likely to result in the business accumulating a large amount of personal data (including health data) about its employees and other visitors to its premises, and potentially family members of those individuals. This is problematic and a number of data protection authorities, such as the Belgian and French regulators, have objected to the mandatory use of detailed questionnaires, though the Spanish regulator appears to have accepted they may be used in some cases. The use of questionnaires might also not be appropriate for someone visiting your premises, for example asking your customers to complete a questionnaire before entering your premises.
- Self-assessment and declaration: A more privacy-friendly alternative would be to ask individuals to self-assess the risk they are infected then make a self-declaration. In other words, all the business gets is the answer (“Low/High Risk”) and not the underlying data. In addition, where the assessment concludes that the individual is at risk, they can be advised of the steps they should take next, such as informing their employer and getting tested (see below).
However, this raises practical questions about whether employees will be able to properly make the assessment, particularly where there are a number of different factors to take into account, and whether the self-assessment has been refreshed recently. There may be a role for technology to play in this approach, e.g. through an “Infection Assessment App” that stores all data locally and automatically analyses it to assess risk.
- Temperature and other physical checks: Finally, businesses might want to conduct temperature or other physical checks on their employees. The use of temperature checks remains controversial and the Dutch data protection regulator is reported to have threatened to fine those who carry out checks. However, it is not clear if this is really a significant privacy invasion. If a simple check is applied when the individual enters the premises and that result is not combined with any other data is not even clear if any personal data is being processed (particularly if an analogue mercury thermometer is used, though this would not be advisable). Other types of testing such as swabs or blood tests are more invasive and are discussed below.
Businesses might also want to test their employees to determine if they have actually been infected by Covid-19. The practical arrangements for testing will vary from jurisdiction to jurisdiction and will be heavily influenced by local employment law. The approach will also depend on the accuracy of any tests. However, as a general rule:
- Medical professional: If the testing involves taking a swab or blood sample then it should generally only be carried out by medical professionals. This is partly because of the risk that the person carrying out the test could also be infected but also because sticking a needle in someone is a skilled undertaking. However, alternatives allowing individuals to test themselves may well also become more widely available over time.
- Consent: Testing should also only take place with the employee’s agreement. Trying to take a swab or blood sample without the employee’s agreement will likely be impossible and illegal, albeit that the legal basis for processing personal data generated by the test will probably not be consent (see below).
However, businesses may still have an important role to play telling employees what options are available for testing and/or paying for additional testing. Businesses will also want to track the level of infection within the business (see below).
Contact tracing and the role of Apps
If an employee is found to be infected, businesses may want to warn those who have been in close contact with the employee about the risk they have also been infected. This again needs to be approached with caution. In particular:
- Confidentiality: While informing employees that they may have come into contact with someone who is infected will be possible in most jurisdictions, careful consideration would be needed before identifying that individual. Where the infected individual is identified, it should normally be on a limited and confidential basis.
- Efficacy: The efficacy of contact tracing within an organisation will likely vary depending on the size and complexity of that organisation. For example, if the employee works in a large building it is unlikely that they will remember everyone they bumped into in the reception or got into a lift with.
For this reason, while the business might have a minor role in contact tracing, some may want to leave this to public health authorities and/or the new breed of public contact tracing Apps coming to the market (see Trust & Tracing: The EDPB issues its “specification” for Covid Apps).
Businesses will also need to consider their attitude to public contact tracing Apps. While encouraging employees to use those Apps is sensible, making these Apps mandatory is likely to be unhelpful given most governments have stressed they should be voluntary. There may also be employment law processes to follow in how employers manage an employee’s refusal to use the Apps and whether making these Apps mandatory would be a reasonable instruction
Businesses will need to track the impact on their workforce in order to assess the overall risk to the business and the effectiveness of the measures taken to combat infection. This is likely to mean businesses keeping records of which employees are vulnerable and shielding, potentially infected and so self-isolating, currently infected or have previously been infected (and are therefore likely to have some immunity). This information will also be needed to manage the workforce in order to operate the business.
The collection of this information is unlikely to be problematic per se so long as there is clear justification for keeping that information (supported by a legal basis under the GDPR) and proper safeguards are applied to that information in order to ensure it is kept secure and held no longer than necessary (see below).
Legal basis and safeguards
These measures may result in the collection of significant amounts of personal data, including health information which is treated as special category data under the GDPR and so is subject to additional protection.
There are a number of legal bases under the GDPR that could justify the processing of this personal data. This might include consent from the individual but in most circumstances it would be better to rely on different processing conditions, particularly given the challenges in getting valid consent from employees. Instead, business should consider relying on:
- Personal data (Article 6): The most likely legal basis will be that the processing is necessary: (a) to comply with a legal obligation, e.g. the business’ duty to provide a safe working environment, or (b) that the measures are in the business’ legitimate interests and those interests are not overridden by the rights of the individual.
- Health data (Article 9): Again, the most likely legal basis will be that the processing is necessary to comply with a legal obligation, e.g. the business’ duty to provide a safe working environment. However, it might also be possible to justify the processing as being necessary for public health reasons.
However, much depends on the relevant processing being necessary, which requires a case-by-case assessment of the proportionality of the measures depending on the nature of the business, the risk of infection and the exact measures being taken. Again, there is no “one-size-fits all” solution.
Key to the proportionality assessment and compliance with the wider obligations under the GDPR are the safeguards applied to the data, such as ensuring the personal data is held securely and that there is sufficient transparency for employees. Similarly, there should be arrangements in place to ensure this personal data is deleted once it is no longer required, though business should be alert to any statutory retention periods (e.g. for health and safety records) which might greatly lengthen the period this data must be held for.
The legal assessment will also need to reflect national variations. Even within the EU different data protection regulators are taking different approaches to these issues, though most businesses will want consistency between different jurisdictions to avoid the perception that some employees are receiving better protection than others.
Finally, it is important to properly document the response to these issues. The GDPR will, very likely, require that a data protection impact assessment is carried out for this processing. Other documentation requirements might also arise, for example in the UK a legitimate interests assessment and appropriate policy might also be needed.
By Tanguy Van Overstraeten, Richard Cumbley, Georgie Kon, Sonia Cissé and Ceyhun Pehlivan