Is your workforce privacy notice pandemic proof?

COVID-19 has caused employers to process more health information about their workforces as they seek to keep their people safe. However, have employers thought about whether this is reflected in their existing privacy notice?

What is a workforce privacy notice?

The General Data Protection Regulation (GDPR) obliges employers to provide certain information to their workers and a workforce privacy notice is the easiest way for employers to do this.

A workforce privacy notice informs workers about how their employer collects and uses their  personal data. The notice should detail how a worker’s personal data is collected, stored, shared and used by the employer and what the worker’s rights are under data protection law.

Is it kept regularly updated?

Employers were very proactive to ensure relevant GDPR compliant policies were in place in time for the implementation of GDPR on 25 May 2018. As anticipated harsh financial penalties have since failed to materialise, many employers have been less rigorous in the regular review of their workforce privacy notices and keeping them updated.

The Information Commissioner’s Office (ICO) advises that privacy notices should be regularly reviewed and where necessary, updated. This is essential where an employer intends to use personal data for a new purpose that is not already detailed in the privacy notice. The current pandemic, and the need for employers to respond to it by collecting additional data on their employees, is unlikely to have been anticipated in many workforce privacy notices prior to March this year. Employers need to ensure that this situation is remedied and the privacy notices brought up to date.

COVID-19 and worker personal data

Employers must satisfy a legal ground for processing a worker’s personal data; the legal grounds relied upon tend to be on one of the following grounds: to perform the employment contract; to comply with the law; or for the purposes of a legitimate business interest.

Information about a worker’s health constitutes ‘special category’ personal data. This means that such data will need extra protection and employers will need to satisfy an additional legal ground in GDPR and the Data Protection Act 2018 to process that data lawfully.

• First lawful ground for processing: Employers will be able to choose to justify processing COVID-19 cases or symptoms within its workforce either for the purposes of its legitimate interests or to meet its legal obligations, in both cases in the provision of a safe working environment. However, the reliance of legitimate interests will necessitate a legitimate interests assessment being carried out before any data is processed. The alternative option of meeting a legal obligation is a less onerous way of meeting GDPR compliance.
• Additional lawful ground for processing: As COVID-19 infection cases or symptoms is health data, an employer must have a second ground for processing that data; this ground will be on the basis of employment and health and safety law obligations. Employers’ workforce privacy notices should already inform workers about the reasons why their health data is being processed. However, it is likely that employers are now processing different types of health data in addition to the health data collected pre-pandemic (for example, they now collect and process temperature readings or COVID-19 diagnoses in respect of their workers as well as for contact-tracing). It is incumbent on employers from the start to inform their workers about how and why their health data is being used and with whom it is shared in order to comply with the data protection principle of transparency, as well as how long it will be kept for to ensure that it is not kept for any longer than needed.

Employers should be either updating their current workforce privacy notice to encompass COVID-19 related processing or create a supplemental privacy notice specific to COVID-19 to sit alongside the general workforce privacy notice. The latter option, referred to by the ICO as layering, may be more practical for employers; a separate notice will be easier to review and amend regularly in light of any changing circumstances around COVID-19.

Consideration will also need to be given as to whether any applicant privacy notices need updating in light of COVID-19, especially if applicants are interviewed in person and the employer collects and processes their temperature or COVID-19 symptoms or diagnosis data.

Once updated or if a separate notice is created, this should be shared with employees (for example, by emailing it to all employees or posting it on the employer’s intranet in an easily accessible place).

If you require support in reviewing and updating your workforce or applicant privacy notice in light of COVID-19, please do not hesitate to get in touch.