Data Protection and Employment Matters

Posted in : Supplementary Articles ROI on 6 January 2021
David Murphy
Data Protection Commission
Issues covered: Data Protection; Sick Notes; GDPR; Brexit; Covid-19; Return to Work Safely Protocol; Remote Working

Following on from his Data Protection Update for Employers 2020 at the Annual Review of Employment Law on the 25th and 26th November, David Murphy, Assistant Commissioner with the Data Protection Commission provides answers to questions that arose.

Health Matters

Is a GP putting the reason for illness on a medical certificate in breach of GDPR i.e., they are only putting down “A medical illness” or condition on the med cert now, rather than specifying why an employee is off.

  • In general, the purpose of a medical certificate if to confirm that an employee is unfit for work and to give an indication of when they will be able to resume work.  The specific nature of the person’s illness is their personal health data and is processed by their doctor in a confidential manner. It should not routinely be disclosed to third parties, including employers.
  • Employees have a duty to take reasonable care to protect their own safety health and welfare, and that of others at work. This should include informing their employer of any health conditions that can affect their ability to carry out their work in a safe manner.
  • A ‘return-to-work’ meeting with a line manager following a period of illness is a useful way to facilitate discussion of any ongoing health issues, that will have an impact on workplace health and safety, and to make reasonable accommodation.
  • Depending on the nature of the work and the specific health condition or injury in question, it may be appropriate for further referral to an occupational health service.

Do we have the right to ask employees if their illness is COVID-related, given the ongoing pandemic? 

  • On receipt of a positive diagnosis for COVID-19, a person will be instructed to self-isolate which will include staying away from work.
  • The public health authorities will collect the necessary information from the person to conduct contact tracing activities.
  • It would be reasonable to ask an employee if they have tested positive for COVID-19, if it is deemed necessary to take precautionary measures to protect the safety, health and welfare of other in the workplace. This will particularly be the case in high-risk environments such as hospitals or nursing homes.
  • Any disclosure of by an employee of their health information must be handled in a sensitive and confidential manner, and should not be disclosed to their co-workers.
  • Contact tracing is a function of the public health authorities and is conducted in a confidential and anonymous manner. Employers should refrain from conducting contact tracing activities on their own initiative.

If an employee/doctor does not put the reasons for absence, then how can an employer fulfil duty of care, for instance if it is back pain or something that could later be used as a personal injury claim?

  • As noted above, the purpose of a medical certificate is to indicate whether or not a person is fit to attend work, and to indicate when they might be expected to return.
  • Assessment of the ability of an individual to carry out their work, or whether workplace accommodations need to be made, can be achieved by means such as discussion with the employee or referral to an occupational health practitioner.
  • In relation to fulfilment of the duty of care, the guidance of the Health and Safety Authority should be consulted.

Can employers let other employees know the names of colleagues who have tested positive for C-19 without it being in breach of DPA?

  • A person’s medical diagnosis is their sensitive, or special category, personal data and must be treated in a sensitive and confidential manner.
  • As noted above, where tracing of an individual’s close contacts following diagnosis is undertaken by the public health authorities this is done in a confidential manner.
  • The implementation of measures to protect health and safety in the workplace must be done in a manner that protects the sensitive personal data of employees, so the disclosure of a diagnosis should be avoided.

Do you have any guidance on how to appropriately manage data, such as text messages from the HSE, confirming test dates or test results? In my organisation, some Line Managers have been forwarding these texts directly by employees to personal mobiles etc. Is this lawful or good practice?

  • Where an employer has been provided with an employee’s personal mobile number for the purposes of communicating with him or her this would be permissible
  • Line managers however should not use their own personal devices to send messages that contain the personal data of employees. We understand that during the current situation this may be unavoidable, in which case policies should be put in place to ensure that this only occurs when strictly necessary and that personal data is removed from the device as soon as possible
  • The DPC also considers that a situation should not arise where employers are provided medical test results before the employee. The medical practitioner conducting the test must make every effort to give the result to their patient (the employee) first.
  • It may not be best practice to communicate a test result to an employee by text, ideally this would be done in person by the appropriate medical practitioner

When does the pre-return-to-work form have to be returned to the employer? Previously in the Return to Work Safely Protocol it had to be returned 3 days before the employee returns to work. The revised Work Safely Protocol says that the form must be returned in advance of employee returning to work. Has the 3-day requirement been removed?

  • The Return to Work Safely Protocol is a plan prepared by the Department of Business and Enterprise and the Department of Health. The timing of the submission of the return to work form is a public health consideration rather than a data protection one. Accordingly employers should keep themselves up to date with the most current version of the protocol as published by the government.

Remote and Home Working 

Our company moved to a 100% Remote Working set up. As part of the onboarding, we will be sending laptops, etc. to the new hires and they will be send by our IT department. Is there any issue with providing personal addresses of employees to the IT department? Do we need specific consent for sharing this information?

  • The provision of IT equipment is a legitimate business need of the employer, so the consent of the employee is not likely to be the appropriate legal basis for the processing of this data
  • Where the company has the personal data of the employee on record there should be no need to seek consent to send out IT equipment. However the employee should be informed that this will be taking place in advance.

What's the DPA's view on employers monitoring employees’ emails and activity while they're working from home? 

  • Any monitoring of employees, whether in the workplace or at home, must be justified on the basis of strict necessity and proportionality.
  • Excessive data collection and processing should be avoided in line with the principle of data minimisation.
  • Any monitoring or surveillance activity must be flagged in advance to employees, via acceptable IT usage policies or other means.
  • This is a complex area that involves the balancing of employees’ rights with the interests of their employer. The guidance of the EDPB on this topic is recommended

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169

GDPR - Privacy question - if a manager is asking for employee address details in order to send employees a gift (such as a voucher, etc.) for reward purposes.  Are HR as data controllers permitted to provide that information to the manager for these purposes?  Internal policy is a bit vague on this topic.

  • An employee’s address will have been provided to company HR for specific purposes and should be processed for other purposes
  • Staff members may not be comfortable with receiving gifts at home, or may not wish to, depending on their personal circumstances i.e. shared living conditions
  • For these reasons I would advise checking with the employee before posting anything 

If we are told that an employee is going for testing, or will be isolating due to a family member being tested - are we allowed to record this information for example on their personal file for either reporting purposes to show how the business is being affected or reporting in terms of if we had an inspection to show that we are following guidelines? 

  • Information regarding a COVID test will be special category data of the employee and must be treated accordingly
  • If it is deemed necessary to record this data in order to manage compliance with public health guidelines, this would seem to be a legitimate purpose.
  • In terms of monitoring the effect upon the business, I would suggest that this might be achieved by the use of anonymised, statistical data rather than retaining and processing the health data of individual employees.  

Brexit and Data Transfers Outside EU

Is SharePoint an appropriate place to store employee data, instead of a local server based in the EU?

  • The DPC is not in a position to advise on whether specific technical solutions should be used. It is the responsibility of each data controller to assess the technical and organisational measures that they wish to implement.
  • It would be advisable to thoroughly examine the data protection and privacy policies of any third party

What if a colleague has requested remote working outside the EU during the pandemic and needs to access company systems? Might that be in breach of GDPR?

  • If your colleague is accessing systems via a secure portal or VPN with appropriate safeguards to ensure the integrity and confidentiality of any personal data, there should not be an issue. There is no transfer of personal data to a third party controller in the non-EU country in this scenario.

With BREXIT, if you have an ROI company and a subsidiary in Northern Ireland and HR is in ROI, is there an issue with moving data on employees between organisations? It’s all the same firm but we are registered in NI and ROI.

  • For any specific queries, a request for advice can be submitted to the DPC via the website

Is there anywhere we can check what should be included in a standard contractual clause for data transfer to US or UK?

And on European Essential Guarantees for surveillance measures:
https://edpb.europa.eu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_en 

With Brexit, what impact does this have on us as employers in relation to GDPR?

  • The impact of Brexit may be widespread depending on the amount of personal data that you transfer to the UK. Any use of a third party provider or data processor either based in the UK or storing data in the UK must comply with the provisions of GDPR to implement a mechanism for data transfer – most likely the standard contractual clauses, see above.
  • You should also be aware of any onward transfer of data to a sub-processor that may be based in the UK, or another third country
  • Please see the DPC’s Brexit guidance here:
    https://www.dataprotection.ie/sites/default/files/uploads/2020-02/Brexit%20FAQ_Feb20.pdf

What are the risks involved in someone working from home but outside of the EU?

  • As noted above, a staff member working remotely outside the EU does not necessarily present an issue if all necessary and appropriate safeguards are in place to ensures that access to personal data is properly protected i.e. use of encrypted VPN access
  • The same risks present themselves with regard to general working from, with the addition that the recovery of any data that is breached may be more difficult outside this jurisdiction. This should be factored into the assessment of risk in providing remote access to the staff member in question.

How do you deal with the transfer of data from Europe to the US - a US based company who has a subsidiary in Ireland, for example?

Miscellaneous Matters

Can you give us an update on the DPCs work on the Public Services Card?

  • We are not in a position to discuss ongoing statutory functions in this context

What are the enforcement steps that can be taken by a Data Subject or the DPC where a Data Controller is not complying with a Data Access request? 

  • Where a data subject believes that they are not being facilitated in the exercise of their rights, including access, they may make a complaint to the DPC
  • The DPC’s enforcement procedures in relation to such a complaint are set out in Chapter 6 of the Data Protection Act 2018
  • On examination of the complaint, where there is a reasonable likelihood of the parties reaching an amicable resolution, the DPC may take such steps as are considered appropriate to facilitate this.
  • Where amicable resolution is not considered achievable shall proceed to take one of more of the actions set out in Section 109(5) of the Act of 2018 i.e. rejection or dismissal of the complaint; provision of advice to the complainant in relation to the subject matter of the complaint; service of an enforcement notice upon the controller or processor (requiring it to comply with the data subject’s request in the case of a SAR); causing of an inquiry to be conducted, any other action that the Commission considers appropriate
  • It should be noted that the steps to be taken by the DPC will be informed by the specific context of the complaint in question

Where do we stand when an employee refuses to watch relevant CCTV footage on site relating to a disciplinary process and requests under a subject data request to view an excessive amount of footage of herself and others as part of a disciplinary process? Do we have to provide full footage requested (4 hours) and redact all others out from it, or can we just send the relevant part relating to the disciplinary issue?

This guidance material does not purport to be a formal sanction or endorsement of the activities of a data controller, data processor or data subject and the Commissioner reserves her statutory right to investigate, or cause to be investigated, any of the provisions of the Data Protection Act 2018 and General Data Protection Regulation that have been, are being or are likely to be contravened in relation to an individual. This guidance material does not purport to represent legal advice and recipients should seek independent legal advice before acting or refraining to act upon any guidance set out herein.

 

This article is correct at 06/01/2021
Disclaimer:

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.

David Murphy
Data Protection Commission

The main content of this article was provided by David Murphy.

View all articles by David Murphy