Privacy (GDPR)

Privacy of Employees during COVID

Privacy of Employees during COVID

Employers experience unprecedented challenges due to the coronavirus outbreak. One of them is how to maintain data protection requirements in the new setting: employers have to collect additional health information from its employees, and some companies will be requested to share the data with government authorities. Those companies that managed to switch to remote work are now concerned with the security of the data processed remotely, as well as with how to track employee performance. 

Here are a few tips on how to not to end up in hot water of data protection laws with implementing virus-preventive measures regarding your employees. 

Data Minimisation

Many COVID-related measures do not require recording or further processing of employees. For instance, while measuring the temperature of the body or checking other symptoms is one of basic measures, the recording of employee's normal indicators into a database might not be necessary.

Unless you are driven by the strict necessity to record and further keep personal data, better refrain from the collection. When necessary, collect only a minimum of data necessary for protecting other employees' health. The collection of data will not require employee’s consent, as even the processing of sensitive data, such as health data, is based on the employer's obligation to protect the health of the team.

Limited Storage Periods

Not to cause purpose creep, keep the data only as long as it is necessary for the purpose of the processing. If your company has an employee contracted COVID-19, do not store information about it longer than necessary for the quarantine period. After the initial purpose was fulfilled, destroy the data and all its copies, including the printouts with the personal details of employees.

Document Data Processing Activities 

Whenever you implement the measures involving personal data processing, document all activities you do on employees’ data. List the data subjects and data categories, purposes and storage periods, as well as the recipients of personal data in the course of your activities.

Occasionally, you might be asked to share the data with government bodies or to contribute to the national research on the virus spread. The data protection laws does not prevent from sharing the data with government bodies, but make sure that you have evidence of why and how you did that. This is required by the accountability principle of privacy regulations.

Remote Work

For the employees working remotely, consider implementing appropriate security measures to make sure the remote work is protected against a data breach. Those measures include the use of secured Wi-Fi networks and, where necessary VPN connection, passwords and two-factor authentication on devices for access to data, antivirus and firewall, as well as secure and licensed software for remote work.

Meanwhile, do not forget that employees have the right to privacy even during remote work. If you consider implementing tracking tools for measuring the employees' performance, perform the risk assessment first, inform the employees about tracking, and do not track the activities that are not necessary or related to work.

In its recent guidance, ICO, a British data protection authority reaffirmed that the privacy regulations do not constrain measures for the fight with the virus. At the same time, proportionality and respect for privacy must be upheld by organisations. 

It particularly applies to the tracking of employees, which should be done where necessary only. We believe that proportionality can be achieved if the organisation follows the basic principles described in this article. We wish you to stay safe during this challenging period and take the responsible approach for the preventive measures in your company. 

If you require further assistance with privacy issues - Legal Nodes privacy network is ready to help.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.


Vlad Nekrutenko, CIPP/E

Privacy Lawyer at Legal Nodes

Need a lawyer in this area?




3 years in data protection

Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills