• Contact Us

How to Safely Monitor Staff While Working Remotely

on Friday, 09 October 2020.

Navigating data protection compliance often requires balancing the rights and wishes of individuals against the wider benefits of using and sharing personal data. The use of personal data in relation to coronavirus (COVID-19) is a case point.

Here we look at some of the key data protection issues for organisations that we have been asked to advise on recently.

Q: A member of staff has told us that we are not to share information about them with NHS Test and Trace under any circumstances. Where do we stand?

Data protection law does not prevent an organisation from sharing information about staff with health authorities, even against their wishes. If a situation does in fact arise, any decision to pass information on should involve a balancing exercise based on the individual circumstances of the case taking account of the wider benefits (for example, to public health) against individual data protection rights.

You should look carefully at the reason for the objection and in many cases may well conclude that the balance lies in favour of disclosure. Any objection might count as a formal 'right to object' request under the GDPR.

Q: We provide a staff canteen facility. Is there anything specific we need to be aware of?

Certain sectors are required to keep records relating to staff and customers and share those records with NHS Test and Trace if requested. This may be relevant to your organisation as the requirements apply to a number of different settings including workplace cafes / canteens and indoor sport and leisure centres.

See the Gov.uk website.

Q: We have purchased equipment to enable our organisation to carry out its own COVID-19 tests on staff. What are the data protection considerations?

This will engage with many of the issues that your organisation might have already considered when handling personal data relating to the pandemic.

  • You must be satisfied that what you plan to do is fair, necessary and proportionate. In particular, you should focus on the proportionality of your proposed approach. You should also carry out a data protection impact assessment (DPIA), to help, identify, document and mitigate any risks.
  • Staff should be given clear information about how their personal data will be used, including information about who the test results will be shared with (both within your organisation and with external agencies, such as the health authorities).
  • You will also need to make sure that you have identified the relevant lawful basis under Article 6 of the GDPR. Health information counts as 'special category' data, so you will also need to identify a condition for the processing (in addition to a lawful basis) under Article 9 of the GDPR / Schedule 1 of the Data Protection Act.

There will also likely be a number of wider issues to consider, for example, how the testing fits in with your health and safety obligations and employment law.

Q: Our employees are using their personal computers for work, can we install monitoring software?

Data protection law does not prevent this in principle but there are a number of legal and practical challenges. For example, how would your organisation prevent monitoring of private emails and documents? What would happen if another family member used the device? You should also be aware of the Computer Misuse Act, which makes it an offence to carry out certain activities on another individual's device.

Many of the points above in relation to using COVID-19 testing equipment apply here as well.

Coronavirus Legal Advice


For specialist advice on data protection, please contact Bronwen Jones in our Information Law team on 07818 018215, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input