COVID-19: Practical Employment Related Data Protection IssuesPosted in : Webinar Recordings on 24 June 2020
During this webinar recording, in association with Matheson, we hear directly from the Data Protection Commissioner’s office on key employment and data protection issues in the context of Covid 19. Dale Sunderland, Deputy Commissioner, Data Protection Commission participates on a panel with leading experts Deirdre Crowley and Chris Bollard, Matheson discussing return to work issues in the employment and data protection context.
Deirdre Crowley now provides her responses to some of the common queries raised by attendees at the webinar under the key headings of maintaining the contact tracing log, introducing temperature testing in the workplace, requiring the completion of the Return to Work forms and introducing daily self-certification forms.
Maintaining the Contact Tracing Log
- What format should the contact tracing log take?
- What common DP issues arise when conducting contact tracing in the workplace?
- Is an employer responsible for contact tracing where an employee is confirmed as Covid-19 positive?
- If an employee tests positive for Covid-19, are we permitted to inform his / her colleagues given our statutory obligation to ensure the health and safety of our employees at the workplace?
- What are the appropriate retention periods for the contact tracing log?
Introducing temperature testing in the workplace
- What is the position in relation to temperature testing in the workplace?
- Where the results of temperature testing is not recorded, are there DP considerations?
Completion of return to work forms
Introducing daily self-certification forms
- In addition to requiring employees to complete Return to Work forms, can we insist that our employees also complete daily self-certification forms?
- What common DP issues arise when requiring daily self-certification forms?
The Return to Work Safely Protocol (the “Protocol”) requires that employers keep a log of contact / group work to facilitate contact tracing and that employees need to be informed of the purpose of the log.
The Protocol or the Health and Safety Authority (“HSA”) does not prescribe any particular format that the log must take but what is clear is that it should provide sufficient detail to facilitate the authorities in contact tracing. Irish employers, therefore, need to be in a position to easily identify and contact employees and others who visit their workplace. There are data privacy implications at play which are addressed in the below response.
The National Standards Association of Ireland: Covid-19 Workplace Protection and Improvement Guide (the “Guide”) provides that organisations and, where possible, individuals, should keep a contact log to facilitate HSE contract tracing in the event of a Covid-19 case in the workplace. It provides a non-exhaustive list of examples of how a log can be maintained including through the use of sign in sheets, clocking systems, visitor logbooks, delivery personnel details and third party service provider visitor information. The Guide further provides that whatever form the log takes, the information should be stored securely, maintained centrally and should be readily available upon request by the authorities, ie by the HSE for the purposes of contact tracing.
We are also seeing clients record employee attendance at meetings and training sessions where such must be held in person and where people are in each others’ company for more than 15 minutes within a two hour period.
The Guide also contains (at section 3.4.6 entitled "Zoning" ) a template to log staff movements and locations. This is based on dividing work areas into zones with personnel allocated to work within each zone. For example, Zone A could be designated for back office, Zone B designated for manufacturing, Zone C designated for warehouse and Zone E designated for the canteen. In addition, the Guide states that movement between the zones should be minimised and controlled at all times and it provides a ‘zoning template’ log document to record, amongst other things, the allocated zone for each employee and then confirmation of the time(s) they visit other zones.
This "zoning" approach provides a very practical, high-level record of employee whereabouts within a large site on any given day, without the need to detail or record every movement.
We suggest that this is coupled with appropriate communication, training and regular instructions to employees to minimise travel within the workplace premises / site as far as possible, as well as adhering to the usual requirements of physical distancing, respiratory etiquette, hygiene standards.
In order to conduct contact tracing in the workplace, it would be important for an employer to establish a lawful basis for the processing under both Article 6 and (where collecting health data) Article 9 of the GDPR. As employers are required to maintain a contact tracing log within the workplace as part of the Protocol, an employer will be entitled to rely upon the compliance with legal obligation for the purposes of Article 6 (in accordance with Article 6(1)(c) of the GDPR) and for carrying out obligations in the field of employment law under Article 9 (in accordance with Article 9(2)(b) of the GDPR) where a measures is necessary for the purpose of complying with the 2005 Act. The Data Protection Commission (“DPC”) has emphasised in its most recent guidance of 26 June 2020 that:
“When considering whether Article 6(1)(c) and/or Article 9(2)(b) might provide a suitable legal basis for the processing of personal data in a health and safety context, employers should remember that any processing of personal data should be limited to that which is necessary to achieve the objective being pursued.”
And this should be considered carefully in respect of the measures implemented for the purpose of conducting contact tracing in the workplace.
As employers conducting contact tracing in the workplace will collect personal information and health information from employees, the personal data held in a contact log should generally not be processed by an employer for any other purpose. In accordance with the guidance of the Department of Business, Enterprise and Innovation (the “DBEI”), this information should be held only for as long as considered necessary for the purpose of facilitating the HSE’s official contact-tracing procedures and to act as a “memory aid” for employers to provide relevant information in the event of a positive COVID-19 diagnosis. Employers should take particular care to avoid disclosing information regarding an employee’s diagnosis to other employees.
Employers will need to carry out a data protection impact assessment (“DPIA”) in respect of any measure which involves the collection of special category personal data on a large scale (such as across all of its employees) including in relation to maintaining a contact log. A key element of conducting a DPIA is to consider the proportionality and necessity of the measure in question. The organisation will need to explain and document why the measure in question is necessary and to assess if there are alternative means to achieve their aim which would have less of an impact on the rights and freedoms of employees.
Although the Protocol obliges employers to keep a contact log for the purposes of facilitating Covid-19 contact tracing, the actual function of contact tracing is the sole responsibility of the HSE. Employers should, therefore, not proceed with tracing and tracking employees where a Covid-19 case is confirmed or suspected.
For information purposes, the practice of contact tracing in the employment context is that the HSE contacts employers in respect of a positive Covid-19 cases of an employee / patient on a needs must basis. Where an employee tests positive and the employee has had contact with other employees in the workplace (that is to say, has been within two metres of other employees for more than 15 minutes in the last 14 days) then the HSE must contact those employees to go through standard questions with them to assess whether they need to self-isolate and / or be tested. The HSE will name the employee in their communication with the employer and will require a copy of the employer’s contact log to establish who needs to be contacted by them. In this scenario, the HSE has a legitimate reason to name the employee on a needs must basis as otherwise, the employer would be unable to provide the correct contact log information. In our experience, clients who have gone through this process have also provided the HSE with maps of the affected employee’s workspace and have even traced the steps of the employee to include for example, meeting rooms and canteen activities. Where an employee tests positive but has not been in contact with anyone at work, because they are working remotely for example, then the HSE will not contact the employer at all to confirm the positive test.
In a guidance note published on 6 March 2020, the DPC provided that “any data processing in the context of preventing the spread of Covid-19 must be carried out in a manner that ensures the security of the data, in particular where health data is concerned. The identity of affected individuals should not be disclosed to any third parties or to their colleagues without clear justification.” The DPC’s most recent guidance, published on 26 June 2020, further provides that “employers should avoid disclosing information relating to a particular employee’s COVID-19 diagnosis to other employees.” We are of the view that it would be extremely difficult to justify the disclosure of an employee’s positive diagnosis to his / her colleagues and that employers should not name employees who test positive, unless the employer is expressly required to do so by the HSE. We see this scenario as being highly unlikely as the HSE has its own track and tracing department dedicated to this function.
We note the statutory obligation on employers, pursuant to section 8 of the Safety, Health and Welfare at Work Acts 2005 – 2014 to ensure, so far as is reasonably practicable, the safety, health and welfare at work of his or her employees. However, we do not consider it a breach of this obligation where an employer does not inform colleagues of a confirmed case of Covid-19. Where there is a confirmed case, that employee is required to self-isolate in line with public health advice. The Protocol places a very clear obligation on employers in respect of managing a suspected case of Covid-19 in the workplace and it is also very clear in its provision as to how employers should operate a workplace to mitigate the spread of Covid-19, such as ensuring physical distancing by staggering start and finish times, ensuring meeting rooms are set up to facilitate physical distancing, ensuring card payment facilities are available, etc.
The Data Protection Commission emphasised that the data should be retained only for as long as considered necessary for this purpose. The DBEI has indicated that the use of contact tracing log should be conducted in strict adherence with HSE guidance and, therefore, the retention period should be informed by the most up-to-date guidance of the HSE. The HSE currently advises that it can take up to 14 days for the virus to show up. To provide for asymptomatic cases or cases that become symptomatic late in the 14 day period following contact, we recommend retaining contact logs for 4 weeks.
Temperature testing is not currently legally required, other than in a healthcare, residential care settings and in the prison service. The government has not recommended testing but rather takes the position that there is nothing to prevent an employer from conducting testing (particularly on a voluntary basis) as long as appropriate risk assessments are carried out.
The DPC’s most recent guidance, published on 26 June 2020, indicates that employers “must be in a position to justify why any consequent processing of personal data is necessary for the purposes of mitigating against the identified risk. They have indicated that a key element of this justification is the consideration of the necessity and proportionality of the implementation of such a measure. They have also emphasised that employers should consider whether a DPIA might need to be carried out.
The conducting of temperature tests, even where the results are not subsequently recorded, involves the processing of personal data. Therefore, the ordinary data protection considerations for the collection and processing of such personal data will arise. However, the fact that such information is being deleted immediately is helpful to demonstrate compliance with the storage limitation principle of the GDPR.
The pre-return to work form should not be retained for longer than necessary to achieve their purpose.
Guidance from the DBEI states the pre-return to work forms should either be (i) disposed of or destroyed securely as soon as the relevant worker has returned to the workplace; or (ii) returned to the worker at the point of entry to the workplace.
Although the Protocol only requires that Return to Work forms are to be completed by employees at least three days prior to their return to the workplace, it does not require that a daily questionnaire / self-certification be issued to employees on an ongoing basis. We are seeing organisations introduce daily self-certification measures (on the basis that within days of completing the Return to Work form, the responses provided are out of date). Some employers are doing this via an online portal that employees must complete daily before coming onsite and others are doing so manually, by way of a sign-in sheet. We are also seeing companies requiring their employees to complete the self-certification questionnaire provided for on the HSE website on a daily basis and simply submit the final result to the employer. This HSE questionnaire is available at: https://www.hse.ie/chatbot/covid/chatiframe.aspx. There are data privacy considerations at play, depending on the format relied upon and the data processed, and we have addressed these considerations below.
In order to require the completion of daily self-certification forms, it would be important for an employer to establish a lawful basis for the processing under both Article 6 and (where collecting health data) Article 9 of the GDPR. Where an employer wishes to rely upon the legitimate interests of the organisation in order to process the personal data , they will need to conduct a legitimate interest assessment.
In addition, where employers collect personal information and health information from employees (including as part of daily self-certification forms), the personal data should generally not be processed by an employer for any other purpose than the purpose for which it was collected. It should also be held only for as long as considered necessary for the purpose of facilitating the employers procedures for protecting its employees. Employers should avoid disclosing information regarding an employee’s diagnosis to other employees.
Employers will need to carry out a DPIA in respect of any measure which involves the collection of special category personal data on a large scale (such as across all of its employees). A key element of conducting a DPIA is to consider the proportionality and necessity of the measure in question. The organisation will need to explain and document why the measure in question is necessary and to assess if there are alternative means to achieve their aim which would have less of an impact on the rights and freedoms of employees.
This article is correct at 24/06/2020
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.