Many employers have questions about whether and to what extent personal data can be requested from employees in the context of the coronavirus pandemic. In this article, I highlight some practical questions and concepts that employers should factor into processing of employee personal data and provide advice on how to mitigate the main risks for both employer and employee.
Data protection requirements generally do not prevent the processing of personal data as long as the purpose of collection and processing is legal. For instance, if an employer has established a legally valid vaccination mandate as a condition for allowing an employee to work, the employer may also legally process the relevant data.
Although companies and other organizations vary greatly in structure and activities and the same approach does not hold true for all cases, we can highlight a few key activities that both parties can carry out to help to ensure the interests of both sides in the employment relationship.
Personal data of employees
In general, any information that can be associated with a specific employee can be considered employee personal data. During the pandemic, employers may need to collect information on the employees’ close contact status, isolation, testing and test results, potential infectiousness, illness and recovery, vaccination status and stance towards vaccination.
Some personal information is categorized as health data; mainly information that can be used to make assessments regarding the employee’s health condition . Legislation sets out additional conditions for the collection and use of health data, and processing of health data runs a greater risk for both employees and employer.
Determining the need for data
One of the main rules for collecting personal data is that there has to be a valid need for such dataThe need is dictated by the purpose of the activity for which data are collected.
The need to gather personal data may be related to compliance requirements arising from applicable laws, pursuing legitimate interests of the employer or even stem from the desire of the employer to popularize and promote testing or vaccination. The employer must document the purpose of data collection and associate it with the personal data which is necessary for achieving that purpose. Specifying the purpose makes it easier to carry out further in-house planning and helps protect the employer’s interests in the event of disputes. It also ensures the application of the requirements arising from processing of personal data. The description of the purpose should be detailed enough so that the need for gathering the data is evident from the purpose. The purpose also determines the importance of the accuracy of the data and the means of involving the employees (whether the submission of data is obligatory or voluntary).
When specifying the actual need for the data, further use of the data after the initial collection of data must be taken into account – whether the data must be retained and if so, for how long. For instance, if the employer measures the body temperature with a software-based device that saves the temperature reading, it should be considered whether and for how long a reading for a specific employee must be retained. If the employer gathers information on employee’s test results, the necessary retention period probably varies depending on the test result. It is not necessary to keep the result of a negative test as long as the result of a positive test. Once the personal data are no longer necessary, they must be deleted or all links with the specific employee removed, so that the data can no longer be associated with a specific employee.
Surveys conducted at a company
It is always not necessary to gather data in a manner that allows the data to be associated with a specific employee. This is the case if the employer wants to conduct a survey to gain insight of employees’ preferences for the planning of their return to the office and organization of work. It is usually possible to conduct surveys anonymously without allowing the responses to be linked to a specific respondent.
A situation that often arises is that an employer asks employees for their vaccination desires or other data via a shared datatable that is circulated via email or which can be accessed by all employees.. This could jeopardize the employee’s privacy as co-workers could access the information. At the same time, the integrity of the data is also at risk, as the answers or other information could be deliberately or accidentally changed. In this way, the employer would be in breach of its duties regarding processing personal data, since the employer is required to protect information concerning employees from unauthorized access and modification by other employees. Moreover, the decisions made by the employer due to unauthorized modification could be based on inaccurate data, which later on requires additional resources to eliminate the consequences.
Knowledge and proper use of various easily available digital solutions enable conducting the surveys in a compliant and privacy friendly manner,In the light of potential future waves of the pandemic and constantly improving knowledge of the virus, , there may be need to conduct surveys multiple times, and from the employer’s standpoint, it would be wise to simplify and automate the process as much as possible.
Ensuring a safe working environment and protection for other employees’ health
If the purpose is to ensure a safe work environment and protection for employees’ health, the need for specific personal data arises from the workplace risk assessment conducted by the employer. Identified risks and measures to manage them may vary depending on the environment, area of activity and other employer-based factors, which is why every company may also have a different actual need for different data. The more sensitive data are and the greater the implications to an employee’s privacy, the more the processing of such personal data processing should be avoided whereas possible, proceeding only if there is no other way to mitigate the risk identified in the workplace risk assessment.
Employer-based factors are not the only ones that should be considered when it comes to prevention of virus based illnesses. The known qualities of the virus and vaccines also have a major role, and employers are generally not competent to assess these risks. Consequently, both existing and constantly updated knowledge should be taken in account. Thus, employers must constantly update their risk assessments if new knowledge about the virus or vaccine properties comes to light which may influence the management of the risk, which in turn could affect the need and justification for gathering personal data.
Information about (suspected) infection
In the event of catching the virus, it should be considered whether the information about the specific employee’s illness has an effect on the employer’ operations or influences protection of the health of other employees. If the existence or lack of such information does not lead to further consequences, it is probably not necessary for the employer to specifically determine whether the employee has contracted the coronavirus. For example, if the employee has been working remotely for an extended period or due to the location and nature of the work, such information does not impact safety of the working environment or the health of other employees.
Employer should refrain from notifying the entire workforce about the illness of a specific employee. If the information about the specific employee’s illness must be used, it should be made available only to a small a circle as possible and only in the extent disclosing such information directly helps preventing the spread of the virus.
Data about employees’ vaccination status
Various data can exists regarding the vaccination status – whether and when the employees were vaccinated, and with which vaccines. Although employees often share such information over coffee or lunch and reveal their vaccination status informally, employers still must have a legitimate and need-based purpose if they intend to keep and use informally disclosed information.
Similarly to other types of personal data concerning employees, employers must keep vaccination information confidential as well and prevent access to the data by unauthorized persons. The employer must also apply the principle of minimal use and gather only data that is justified. For example, information about which specific vaccine was used may not be necessary for an employer, but storing such data may incur significant privacy risks for the employee.
Correctness of data and the anonymity factor
In the context of the pandemic, it is important to ensure that data are correct. There is no benefit from processing data to manage risks identified in the working environment risk analysis if data is inaccurate. Thus, the means of collection and the source of the data must be considered to ensure the accuracy of data. If the purpose of data collection does not have any legal consequences and the employer intends to merely presume honesty from the employee, anonymous data should be considered prior to collecting personal data.
In some organizations, employees may be exposed to social pressure that forces the employee to provide information that is not accurate. For example, an employee may provide inaccurate information whether he or she has been in close contact, is in mandatory quarantine, infected, vaccinated or whether they wish to be vaccinated, if their own attitudes depart from the norm for that organization. The employee may also be wary of negative consequences, disparaging attitudes and becoming the target of accusations. In such case, providing anonymity can increase the accuracy of the data. An employee who has no reason to fear direct negative consequences may provide more accurate information that makes it easier to detect possible spread of virus or recovery or to map the general attitude among an organization’s workforce. Anonymous data collection also mitigates privacy and compliance risks arising from processing of personal datasince the data cannot be associated with any specific employee.
When to ask employee’s consent?
In context of employment relationship, asking for employee’s consent should generally only occur if giving the consent is optional and refusal does not lead to any negative consequences for employee,, such as disallowingto work.. Consent is appropriate basis for data collection if the employer is looking to incentivize vaccination and enable vaccination in the workplace. In such case, being vaccinated must not be a compulsory condition for allowing the employee to work.
Asking for consent should be avoided if the need for collection of personal data collection is required to managing a specific risk identified in the workplace risk assessment, because in this case it the consent will not be legally valid as effective mitigation of a risk usually can not rely on voluntary choice of the employee.
Need for create and keep evidence of privacy considerations
On one hand, it legally required to be able to provide evidence of compliance with principles of data protection. Employers must maintain evidence of data processing activities and the considerations that preceded to the processing. In any case of processing personal data, one must always be prepared to prove the need for and permissibility of processing personal data along with consideration of privacy risks to the people concerned and measures applied to address those risks.
Other than compliance requirements,, it is also in the employer’s own interests to document relevant activities and the considerations. It is common to forget any undocumented activites, employees can leave and new ones are not aware of previous decisions and the situation changes constantly, which is why documentation of activities maintains consistency and preserves the knowledge gained from experience so that better and more effective decisions can be made in the future. It also helps to ensure the employer’s legal interests in the event of disputes if a need arises to justify for the collection of personal data.