The Return to Work Safely Protocol (the “Protocol”) advised employers to implement a number of novel measures such as temperature testing in order to mitigate the spread of COVID-19. While adherence to the Protocol is vital in ensuring a safe place to work, until recently, there has been a lack of guidance on how to implement the Protocol while complying with data protection obligations. This was particularly concerning in light of the serious privacy and employment concerns arising from processing health data. As such, the recent Guidance published by the Data Protection Commission (the “DPC’s Guidance”) and the Department of Business, Enterprise & Innovation (the “DBEI’s Guidance”) on 26 June 2020, provides welcome relief for employers seeking clarity on the data protection implications of the Protocol.

Temperature Testing

As part of the employer’s pre-return to work steps, the Protocol advises employers to implement temperature testing in line with public health advice. Notwithstanding this, to date, no public health advice has been issued on this. On this basis, the DPC’s Guidance states that temperature testing should not be considered a requirement of the Protocol at this time.

However, the DPC did concede that temperature testing may be considered in a particularly high-risk workplace. For example, where there are specific organisational risks or challenges e.g. where due to the nature of the role, it is difficult for staff to adhere to social distancing requirements, where staff are required to travel as part of their role etc.

Contact Tracing 

The Protocol recommends that employers keep a log of contact/group work to facilitate contact tracing. The DBEI’s Guidance further clarifies that this contact log should be maintained for staff who are in close contact with one another for extended periods of their work shift, where social distancing may be difficult. The purpose of the contact log is to facilitate the HSE’s official contact-tracing procedures and to act as a memory aid for employees on their close contacts in the event of a COVID-19 diagnosis.

Return to Work Form

The Protocol recommends that employers establish and issue a pre-return to work form for employees to complete at least three days in advance of their planned return to work. This form asks the employee a number of questions including whether they have been diagnosed with COVID-19, whether they have any COVID-19 symptoms or if they have been in close contact with anyone who has contracted COVID-19.

The DBEI’S Guidance further clarifies that the Form should be tailored such that the organisation collects the minimum information necessary and should generally not be processed for any other purposes. Notably, the DBEI’s Guidance advises that the form should not be retained once an employee has returned to the workplace.

Practical Measures 

In light of this recent guidance, when implementing a new measure to mitigate the risk of COVID-19, employers should ask the following questions:

  • What is the purpose of the processing? When implementing a new practice which involves the processing of personal data, employers should consider the purpose of the processing. This will differ according to each organisation, based on its own individual risk assessment.
  • Does the new measure achieve that purpose? The employer will need to consider whether the measure is proportionate i.e. whether the same results can be achieved through less intrusive means. Where this is the case, the practice will not be considered proportionate.
  • Is there a legal basis for processing the data? When processing personal data, an employer must have a legal basis for doing so as per Article 6 GDPR. When processing special category data, such as data relating to an employee’s health, in addition to complying with Article 6, an employer must also be able to satisfy one of the requirements of Article 9 GDPR. In this regard, the DPC has highlighted the following legal basis for processing:
    • Under the Safety, Health and Welfare at Work Act, 2005, employers are required to ensure the health and safety of individuals in the workplace. In this regard, Article 6(1)(c) GDPR provides for the processing of personal data where it is necessary for compliance with a legal obligation to which the employer is subject. Article 9(2)(b) GDPR provides that the processing of special category data will be permitted where the processing is necessary for the purposes of carrying out obligations in the field of employment, social security and social protection law.
    • Employers will be required to act under the direction of public health authorities to protect against COVID-19. In these circumstances, Article 6(1)(e) GDPR provides for the processing of personal data where it is necessary for the performance of a task carried out in the public interest. Similarly, Article 9(2)(i) GDPR provide that the processing of special category data will be permitted where the processing is necessary for reasons of public interest in the area of public health.
    • It should be noted that consent will not constitute a suitable legal basis for the majority of processing operations concerning employee data in the workplace.
  • How much data should an employer collect? Only the minimum amount of personal data should be collected as is adequate, relevant and necessary to achieve the purpose. For example, when keeping a contact log for the purpose of avoiding the risk of spreading the virus and protecting other workers, it may be considered necessary record when the employee was diagnosed, any employees s/he was in close contact with etc, but it would not be necessary to record any information outside the scope of this purpose such as the employee’s medical history, work performance etc.
  • Are there any steps an employer can take to protect the personal information? Employers will be expected to implement appropriate safeguards e.g. limiting access to the data, pseudonymisation or encryption of the data. Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not identify any individual employees. Employers should consider whether a Data Protection Impact Assessment is required where the processing could result in a high risk to the fundamental rights of individuals and includes the processing of special category data i.e. in this context, health data.
  • How can the employer make the processing of data transparent? Employers should update and circulate their Privacy Policy and Privacy Notice to inform staff and visitors what data will be collected, how the data will be used, with whom the data will be shared and how long the data will be retained. Employers should also update their data retention policy to ensure the data is not retained for any longer than necessary.

Our Employment & Corporate Immigration Team regularly advises employers on drafting and updating policies and has extensive experience advising on a range of employment and data protection related issues/disputes arising in the above context. For further information, please contact Bláthnaid Evans or Sheila Spokes, +353 1 639 3000 or visit www.leman.ie.