You need to consider GDPR when you are completing your COVID-19 Return to Work Protocol
Employers throughout the world are currently trying to figure out how they can re-open their businesses while protecting the health and safety of the employees in the middle of the COVID-19 crisis.
It is complicated.
In Ireland the government have produced the Return to Work Protocol and are asking that each employee completes the following questionnaire:
The information collected above is medical data and so is considered special category data as per the GDPR. This adds significant responsibilities for the employer (the data controller). For most businesses, this will be the first time they will record this type of information. There are risks to the rights and freedoms of employees with the recording of this information.
All businesses need to be very careful, the obligations of the GDPR have not been paused because of COVID-19. If you need to reopen your place of business, then make sure you do the following 5 things:
1. Communication
The management team in the company need to discuss this first, and how it will be implemented. It is important to minute and document this meeting too. Ideally, an official board minute would be drawn up on the discussion and then the outcome.
Next, communicate it to the employees. The “why” and “how” you are doing this. Make sure they understand this is in their best interest and it is being conducted on the back of health and safety regulations.
2. Recording the information
This is the hard bit because this is where things can easily go wrong.
You should be very reluctant about using email to communicate this. If this data is put on email, then sent to their line manager, it is a sizable risk to the employer. Attachments on email quite often go astray and get sent to the wrong person.
Completing the word document and saving it to a folder on the server comes with risks too. Public folders on servers are difficult to secure.
Ideally, you use an online HR platform where this information can be recorded. The big advantage here is that the information is secure and cannot be accessed by other people within the company.
3. Remember – less is more
The government has given clear instructions on what to ask and what to record. Limit it to that. Proportionality is a key part of data privacy laws. Do not ask questions that you do not need to. Do not get creative here.
This is especially relevant for Question 6. If an employee has other circumstances relating to COVID-19 – then the less you know about them the better. If the employee says they have something, have a verbal conversation with him/her, and do not record the detail. Just record that they have something.
If you can achieve the same outcome with less information – then that’s a positive.
4. Be careful about using Consent
Make sure you do not use the Consent word here. Do not ask employees to consent to give this information, or consent to any type of health screening. The GDPR allows for another legal basis for recording this information. Consent is not one of them.
5. Have a plan to Delete the Data
Discuss and understand how and when this data will be deleted. Is it relevant once COVID-19 work restrictions are ended? If not, then delete it. You can keep a record that you got employees to record this at the time, but it is important that this data does not outlive the crisis. This is not in the employees' best interest.
Like all companies with office-based employees, we have had to innovate to implement COVID-19 requirements and act in the data subjects' best interest. If you want to discuss how we can help your company return to work safely you can contact us using the form below: