Here we look at some of the key data protection issues for organisations that we have been asked to advise on recently.
Q: A member of staff has told us that we are not to share information about them with NHS Test and Trace under any circumstances. Where do we stand?
Data protection law does not prevent an organisation from sharing information about staff with health authorities, even against their wishes. If a situation does in fact arise, any decision to pass information on should involve a balancing exercise based on the individual circumstances of the case taking account of the wider benefits (for example, to public health) against individual data protection rights.
You should look carefully at the reason for the objection and in many cases may well conclude that the balance lies in favour of disclosure. Any objection might count as a formal 'right to object' request under the GDPR.
Q: We provide a staff canteen facility. Is there anything specific we need to be aware of?
Certain sectors are required to keep records relating to staff and customers and share those records with NHS Test and Trace if requested. This may be relevant to your organisation as the requirements apply to a number of different settings including workplace cafes / canteens and indoor sport and leisure centres.
See the Gov.uk website.
Q: We have purchased equipment to enable our organisation to carry out its own COVID-19 tests on staff. What are the data protection considerations?
This will engage with many of the issues that your organisation might have already considered when handling personal data relating to the pandemic.
There will also likely be a number of wider issues to consider, for example, how the testing fits in with your health and safety obligations and employment law.
Q: Our employees are using their personal computers for work, can we install monitoring software?
Data protection law does not prevent this in principle but there are a number of legal and practical challenges. For example, how would your organisation prevent monitoring of private emails and documents? What would happen if another family member used the device? You should also be aware of the Computer Misuse Act, which makes it an offence to carry out certain activities on another individual's device.
Many of the points above in relation to using COVID-19 testing equipment apply here as well.