Minimising contact is seen as vital to minimise the spread of COVID-19 in the community. Employers have a very significant role to play in the process but it can be challenging balancing up privacy and data laws with the need to protect other employees.
Here’s a closer look at how to manage positive COVID-19 results and contact tracing among employees.
Contact Tracing vs the Data Protection Law
As part of the government tracing scheme, individuals will not be told the identity of the person who tested positive for COVID-19. As an employer, your obligations under data protection law does not prevent you from taking steps to protect your workforce.
This means you can ask employees for proof that they have had a positive test result, and details of anyone they have had contact with at work. The employee has the right to refuse to provide this information.
If you receive health data from individuals you are required, under data protection law, to make sure it’s handled lawfully, transparently and fairly. Health data is classified as “special data” which means you have extra responsibilities to control who has access to it, and how it’s used.
A Data Protection Impact Assessment should be carried out for this type of health data. This will enable you to assess the risks, whether the action being taken is proportionate and whether there are any mitigating actions which would reduce the risk.
Tips on Managing Employee Data on COVID-19
You must ensure that you are compliant with the data protection laws while also offering suitable protection to your workforce. These tips will help you achieve the right balance:
- Any data you collect should be no more than the minimum necessary and it should be directly relevant to the purpose
- You must consider your duty of confidentiality to your employee
- You must ensure that any processing of health data is secure
- Employees should know how you will be using their health data and what decisions you will make based on it
- Ideally, there should be a health data processing policy in place before you begin collecting any data
- You should not identify any individuals when discussing potential or confirmed cases of COVID-19 with the rest of the workforce. You should ensure that the workforce are kept up to date about any possible or confirmed risk.
- You should ensure that informing the workforce about potential or confirmed cases of COVID-19 does not result in any employee receiving harmful or unfair treatment
Contentious Issues to Consider
Balancing the need for confidentiality and data security with keeping the workforce informed can be a very delicate process. Some issues you might want to consider include:
- Will employees be willing to tell you about a positive test result or if they have been in contact with someone who has? They will have to self-isolate and take sick leave – will this be problematic?
- Will employees fear disciplinary action if they have to self-isolate?
- What action will you take if an employee arrives at work after they have been asked to self-isolate?
- What will you do if you don’t have enough work to give people who are self-isolating at home?
Thinking about the potential issues in advance and preparing your procedures will ensure that if COVID-19 affects your workplace you will be discharging your twin duties of data protection and employee protection to the fullest.