Privacy of Employees during COVID
Privacy of Employees during COVID
Employers experience unprecedented challenges due to the coronavirus outbreak. One of them is how to maintain data protection requirements in the new setting: employers have to collect additional health information from its employees, and some companies will be requested to share the data with government authorities. Those companies that managed to switch to remote work are now concerned with the security of the data processed remotely, as well as with how to track employee performance.
Here are a few tips on how to not to end up in hot water of data protection laws with implementing virus-preventive measures regarding your employees.
Many COVID-related measures do not require recording or further processing of employees. For instance, while measuring the temperature of the body or checking other symptoms is one of basic measures, the recording of employee's normal indicators into a database might not be necessary.
Unless you are driven by the strict necessity to record and further keep personal data, better refrain from the collection. When necessary, collect only a minimum of data necessary for protecting other employees' health. The collection of data will not require employee’s consent, as even the processing of sensitive data, such as health data, is based on the employer's obligation to protect the health of the team.
Limited Storage Periods
Not to cause purpose creep, keep the data only as long as it is necessary for the purpose of the processing. If your company has an employee contracted COVID-19, do not store information about it longer than necessary for the quarantine period. After the initial purpose was fulfilled, destroy the data and all its copies, including the printouts with the personal details of employees.
Document Data Processing Activities
Whenever you implement the measures involving personal data processing, document all activities you do on employees’ data. List the data subjects and data categories, purposes and storage periods, as well as the recipients of personal data in the course of your activities.
Occasionally, you might be asked to share the data with government bodies or to contribute to the national research on the virus spread. The data protection laws does not prevent from sharing the data with government bodies, but make sure that you have evidence of why and how you did that. This is required by the accountability principle of privacy regulations.
For the employees working remotely, consider implementing appropriate security measures to make sure the remote work is protected against a data breach. Those measures include the use of secured Wi-Fi networks and, where necessary VPN connection, passwords and two-factor authentication on devices for access to data, antivirus and firewall, as well as secure and licensed software for remote work.
Meanwhile, do not forget that employees have the right to privacy even during remote work. If you consider implementing tracking tools for measuring the employees' performance, perform the risk assessment first, inform the employees about tracking, and do not track the activities that are not necessary or related to work.
In its recent guidance, ICO, a British data protection authority reaffirmed that the privacy regulations do not constrain measures for the fight with the virus. At the same time, proportionality and respect for privacy must be upheld by organisations.
It particularly applies to the tracking of employees, which should be done where necessary only. We believe that proportionality can be achieved if the organisation follows the basic principles described in this article. We wish you to stay safe during this challenging period and take the responsible approach for the preventive measures in your company.
If you require further assistance with privacy issues - Legal Nodes privacy network is ready to help.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.
Vlad Nekrutenko, CIPP/E
Privacy Lawyer at Legal Nodes
Need a lawyer in this area?
3 years in data protection