Return to work safely-Data Protection and Privacy

Tips for workplaces with respect to GDPR post Covid Lockdown

It has been a difficult time as not only us but the entire world has seen a pandemic bring the life of the people to a standstill. However, the Irish authorities have signaled towards relaxing of the lock-down in phases. This shall lead to workplaces being opened up for employees to resume work. Health and Safety Authority (HSA), the Health Services Executive (HSE) and the Department of Health have collaborated for the issuance of guidelines called Return to Work Safely Protocol. It is designed to support employers and workers to put measures in place that will prevent the spread of COVID-19 in the workplace, when the economy begins to slowly open up, following the temporary closure of most businesses during the worst phase of the current pandemic. The Protocol discusses several issues at length however does not make any reference to the conduct with respect to Data Protection Regulation.

As known, the Data Protection Commission has made it clear that, “Data protection law does not stand in the way of the provision of healthcare and the management of public health issues. However, DPC also makes it clear that handling of personal data specifically being health and other sensitive data should be given its due importance.

  1. Legal Compliance and data minimization

Depending on the internal policies of the employers wherein the employers may continue remote working or on-site work, there will be processing of data of employees with respect to their health status along with other sensitive data. Keeping in mind the Protocol and the Data Protection Laws the employers will have to show strict compliance with respect to health data as it falls under the category of personal data. Processing of such data is prohibited, however keeping the interest of the other employees and the employers itself, it is allowed to process such data. Though the processing of data may be allowed in such circumstances, it is necessary to observe the principles of data minimisation. It requires minimal data to be processed which is relevant for the employer or in such crucial situation. For example, the employer may process data of its employees by maintaining a regular check-up of any employee showing any symptoms. If the data hints towards any symptoms the employer may take suitable measures to ensure safety of its other employees.

  1. Confidentiality

The employers need to maintain confidentiality while processing such data as any kind of data leak may attract severe consequences. For example, if any employee is found to be infected with any disease, the employer may take reasonable measures to safeguard the other, however any revelation of the health status of the infected employee to other employees amounts to data breach.

  1. Transparency

The employers are duty bound to maintain transparency with respect to processing of data. The employers need to provide information about all the stages of processing to its employees and keep the employees notified about any changes made.

  1. Privacy by design

The lockdown had rendered a majority of employees to operate from home (Work from home). Employers had accordingly issued internal guidelines and protocols keeping in mind the data security of the employers and employees. Depending on the current situation, employers may adopt work policies which may either be remote working or on-site work, depending on the situation and requirement. In either of the situation, the employers need to take this as an opportunity to structure the internal policies in accordance to the GDPR and Data Regulations laws. The intention is to avoid any data breach and strict adherence to the data protection laws. The employers shall structure the data governance with an intention of keeping the data secure and well administered.

  1. DPIA

Understanding the nature of data which shall be processed by the employer, either it may be special category personal data or other, it is of immense importance to understand and assess the current data privacy compliance prior to such step being taken. It shall work in favour of the employer to conduct a Data Privacy Impact Assessment so as to evaluate the status of the employer with respect to data privacy compliance and if it finds any shortcomings may implement required measures subsequent to consultation from a data privacy expert.

Read here: DPC nearing decisions on social media giants

By |2024-06-18T12:56:08+01:00June 18th, 2024|Uncategorized|0 Comments

Share This Story, Choose Your Platform!