Processing health data about staff
Employers will have a duty to ensure the health and safety of their employees and contractors. To manage the contagion within the workforce, employers will have to take steps to appropriately monitor the health of their staff. The flow of information will go both ways. Employees will be asked to provide information about their health and employers will notify members of staff about infections within the organisation. The data may be important for ensuring compliance with the Government’s guidance on self-isolation as well as for payroll purposes.
Given that the health data is processed because of a duty of care owed to staff, employers may be able to rely on the condition for processing of special categories of personal data in the field of employment. The Data Protection Act 2018 provides further conditions that have to be met in this regard.
At the same time, the employer will have to satisfy a lawful basis for the processing of personal data, such as legitimate interest. In relation to each processing activity and purpose of processing, the necessity test and the legitimate interest balancing test will guide the employers in striking the right balance between the information required, processed, shared and disclosed and their staff members’ right to privacy. An appropriate policy will have to be put in place to ensure that the data is processed lawfully.
Alternatively, employers may be able to rely on the lawful basis and condition for processing relating to the establishment, exercise or defence of legal claims. According to guidance from the Information Commissioner’s office, this condition for processing of special categories of personal data would apply to processing necessary in fulfilling a duty of care owed to individuals. No legitimate interest assessment will be required, however, the necessity test will guide the scope of processing in relation to each processing activity and purpose of processing.
Of course, there may be situations where the vital interest ground and condition may be called upon. This is particularly relevant in the employment context where employees cannot validly give consent due to the dependent nature of the relationship between employer and employee.
Monitoring of staff
Employers may have a particular interest in gathering productivity-related data in a time where most of their staff work from home.
It will be important to remember that any monitoring of staff through corporate devices or BYOD devices must be explained by way of a privacy notice. In addition, monitoring must not be applied in situations where employees have an expectation of privacy. If monitoring is carried out, it must be proportionate, lawful and fair.
Where the use of intrusive technologies could clash with these requirements, monitoring may best be ensured by managers’ regular contact with their team members and setting milestone-based tasks.
Aggregated data
Businesses may wish to rely on anonymised data to inform forecasting and management decisions.
As a starting point, it will be important to get anonymisation right. As there is inconsistency in the rules among EEA member states, this may meant that what is anonymised data in the UK will not necessarily be anonymised data in Spain. Generally, if any data element can link back to the individuals and allow for reidentification, the data may not be anonymous but merely pseudonymous.
There may be instances where pseudonymisation will suffice, however, the limits on the use of such data will be greater.
Share this blog
Alex Dittel is a data protection & privacy senior associate
Share this Blog
- Adtech & martech
- Agile
- Artificial intelligence
- EBA outsourcing
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- KLick Trade Mark
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel