home News   HR & Employment Law   Government Protocols And Data Protection Considerations

Government Protocols And Data Protection Considerations

The Department of Business, Enterprise and Innovation has recently published an explanatory guidance document to the Return to Work Safely Protocols in order to support Employers where the implementation of measures recommended by the Protocol, result in the processing of personal data.
 
The guidance set out by the Department aims to advise Employers on the implementation of the recommendations of the Protocol in a manner that complies with their obligations as data controllers under the GDPR and Data Protection Act, 2018.
 
Now more than ever must Organisations ensure compliance with the core GDPR Principles when processing Health information. With the designation of health information being categorised as Special Category Data under GDPR Regulations data controllers must maintain compliance in dealing with this information. In order to do this Organisations must ask themselves:

  • What is the purpose of the processing?

  • Is there another way to achieve it?

  • Is there a lawful basis for the processing?

  • Is the process necessary and proportionate?

 
The handling of health information will be daunting for many, but the Data Protection Commission (hereafter referred to as the DPC) has provided useful guidance for Employers when dealing with the following items under the protocols.
 

1. Contact Tracing Logs

Outlined in the Protocol is a recommendation for all Employers to maintain a log of contact/group work. This contact tracing log will facilitate contact tracing from an Organisational need, in supporting Employees who contract the virus to provide this information, and to align to the Health Service Executives official contact-tracing procedures.
 
The advice from the DPC is that personal data held in a contact log should generally not be processed by an Employer for any other purpose. Employers should avoid disclosing information relating to a particular Employee’s COVID-19 diagnosis to other Employees. Finally the data should be retained only for as long as considered necessary for this purpose.
 

2. Return to Work Form

A mandatory requirement under the Protocol is that Employers ensure all Employees complete a return to work form at least three days in advance of the planned return to work. The purpose of requiring Employees to complete this form in advance of any return, is to enable Employers manage potential risks of infection, make informed decisions on an Employees return to the workplace and to implement the necessary measures and controls in the workplace to mitigate risk.
 
The advice coming from the DPC in respect of the Return to Work forms is to tailor the forms to ensure the minimum information necessary to achieve the objective of the form is collected. It is also important that this information collected is generally not processed for any other reason. The guidance set out by the Department of Business, Enterprise and Innovation is that the Return to Work form is not retained beyond the point of an Employee’s return to the workplace.
 

3. Temperature Testing

A topic of much discussion has been the recommendation in the Protocol of the implementation of temperature testing, which as it is stated within the document, says that it should only be done, “in line with Public Health advice”. It is on this basis that the DPC advises that temperature testing should not be considered a requirement of the Protocol at this time.
 
The Data Protection Commission further advises that Employers currently considering the implementation of temperature testing as a COVID19 response measure, in the context of a particularly high-risk workplace and in response to a particular risk that has been identified, must be in a position to justify why any consequent processing of personal data is necessary for the purpose of mitigating against the identified risk.
 
An assessment of the necessity and proportionality of the implementation of such a measure should only be done in line with public health advice, or where such measures are being considered, then Employers should also give consideration to whether a Data Protection Impact Assessment might need to be carried out before any personal data is processed in conjunction with the measure.
 

4. Legal Basis for Processing

Finally, when Employers are processing personal data, in the context of implementing the measures recommended by the Protocol there must be a ‘legal basis’ for doing so and when processing special category personal ‘health’ data an Employer must also be able to satisfy one of the requirements of Article 9 GDPR.
 
When considering whether Article 6(1)(c) and/or Article 9(2)(b) might provide a suitable legal basis for the processing of personal data in a health and safety context, Employers should remember that any processing of personal data should be limited to that which is necessary to achieve the objective being pursued. In addition, the processing must comply with all of the principles of data protection as set out in Article 5 GDPR.
 
 
Disclaimer – The information in this section is provided for reference purposes only to assist Employers with the government Return to Work Safely Protocols, explanatory document relating to these by the DBEI and Data Protection Commission advices relating to the Protocols and must be read in that context and should not be used for or interpreted as a legal definition of any of the information provided. Professional advice should always be sought before making any such decisions. The information as provided is available on the Data Protection Commission website, www.dataprotection.ie and is correct as of July 3, 2020.

Share on