Covid-19: Data Protection and Employee Health

While Covid continues to subside, employers have a heightened responsibility for the health and safety of all employees, particularly as businesses return to the workplace. To the best of their ability, employers are required to maintain a Covid free environment and ban symptomatic employees from returning to their place of work. In this blog, Goldstein Legal will explain the guidelines for the management of employee health data and provide data protection guidance for those working from home.

Employee Health Data

The Information Commissioners Office (ICO), the UK body responsible for overseeing data protection, have released a 6-step guide advising on the collection and management of employee health data in light of the pandemic. The guide has been developed specifically to enable employers to adequately manage health related data as their employees return to work. The ICO advises employers to consider the following, and remain vigilant of employee health concerns at all times:

1. Only collect and use what is necessary – Employers should only request health data that is necessary to keep their employees safe. Any request for the provision of personal health data should be reasonable and proportionate in the circumstances
2. Keep it to a minimum – It is important not to collect data that the business does not need. Employers may take the view that the collation of Covid test results are sufficient
3. Be clear, open, and honest about their data – Employers should be open and clear about the storage and use of employee health data. If the data may mean that an employee is required to take time away from work, such as a positive Covid test, these measures should be communicated from the outset
4. Treat people fairly – A policy should be drafted to ensure that all employee health data, and any further action required, shall be handled fairly and in a non-discriminatory manner
5. Keep data secure – As with any other data, all employee health information is to be maintained securely, in accordance with the retention policy, and access should be restricted as required
6. Employees must be able to exercise their information rights – Employers should inform employees of their rights over the data, and not restrict or affect those rights in any way

The full guide is available at the following link – https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-six-data-protection-steps-for-organisations/

Working from Home

Current government advice is to permit at home working for employees who are shielding, those with Covid symptoms, and where social distancing is not an option in their normal working environment. Employees that work from home must remain data protection compliant and employers should consider the following:

• Use of Personal Devices – Permitting employees to use their personal devises at this time may be unavoidable. However, it is important to ensure that any such device does not leave your system or data exposed. Employers should ensure all devices are updated, have sufficient protections in place, and adequately support their network and software. Each device should be password secured, and it should be made clear to employees that all company data is to be held in a separate storage area which is hosted remotely.
• Video Conferencing – The use of video conferencing software has increased exponentially during the pandemic. Most programs have privacy and security features, including password controlled meetings and restrictions permitting the organiser to control those that enter. Employees should be vigilant when sharing meeting links via email and remain wary of suspect invitations that may be phishing for data access
• Policies, Security, Risk Assessments and Remote Working – Employers should assess the risk of any new IT solution, program, or similar, that is implemented to facilitate home working. In particular, employees will be relying on access to cloud storage and remote data sharing while at home. Employees should also update software and passwords regularly and implement multi-factor authentication. Employers that do not currently operate remote access should consider implementing these measures, especially for employees that manage ‘info’ or ‘admin’ accounts as these are often targeted. Employers are encouraged to reassess their existing policies and carry out additional training in order to mitigate the increased risk and remain compliant.