Coronavirus - New data privacy and employment law challenges - UK

• United Kingdom

• Coronavirus - Data and Cyber Security issues
• Coronavirus - Workforce issues

22-05-2020

The UK Government’s much-awaited COVID-19 recovery strategy or “road map” to ease the UK out of lockdown has been published. For employers, key to any progress towards a return to work will be their ability to adhere to new “COVID-19 secure” guidelines. These guidelines focus on the eight workplace settings currently permitted to remain open, such as construction sites, laboratories, factories and offices.

The guidelines aim to give employers freedom, within a practical framework, to think about what they need to do to continue, or restart, operations during the COVID-19 pandemic. Each employer will need to translate the guidelines into the specific actions it needs to take, depending on the nature and type of business, how it is organised, operated, managed and regulated.

It is clear that leadership, trust and careful planning will play a vital role in this critical next phase of COVID-19. Beyond consideration of the numerous practical issues involved, employers may have some concerns about how the measures they are contemplating will be received by the returning workforce. In addition to potential employee relations issues, employers will be conscious of the risk of legal challenges by employees. We highlight below two of the key data privacy and employment law issues which continue to be of concern for employers.

COVID-19 testing and other screening of the workforce

The issue of testing or screening does not form part of the new COVID-19 secure guidelines, but new ICO guidance on workplace testing for employers has been published. This confirms that testing of this nature will inevitably involve the use of employee personal data, and often special category personal data in the form of information about an individual’s health.  Some employers may have been tempted to shy away from adopting testing and screening measures because they were concerned about data privacy laws which they perceive as being problematic or overly restrictive. However, it should be recognised that the quality of an employer’s decision-making during this difficult period will be directly linked to the quality of data available to them. Neither the GDPR or Data Protection Act 2018 should act as a barrier to undertaking testing or screening if employers focus on the key data protection requirements, namely, that any such processing must be necessary, lawful and fair.

When considering whether processing is necessary to achieve the purpose, it is important that employers ensure they do not capture more data than they need or use it too broadly. An objective test is applied when considering this and employers should challenge themselves to see if the processing of personal data itself is actually necessary to achieve the objective or can it be achieved without recording it?  If health data does need to be recorded, employers should conduct an appropriate data protection impact assessment which, in the context of COVID-19, may be built into the framework of a wider health and safety risk assessment.  This is consistent with the “accountability” requirement to be able to evidence compliance, but also helps to structure considerations on mitigating the risks and impacts to individuals as well as the employer.

A lawful basis must be identified for each purpose that the personal data will be processed for. Where health data is being collected, there are more limited options.  It should be remembered that to process special category data you have to find a legal basis under both Article 6 and Article 9 of GDPR (as well as Schedule 1 DPA 2018).  Article 9 is a narrower gateway to squeeze through. Reliance on employee consent for staff health screening is problematic as it must be “freely given” consent. We would therefore caution against this, but compliance with duties as an employer or for social care may provide a legal basis for processing the special category health data concerned, alongside the legal basis of legitimate interest,  by virtue of employer health and safety obligations.  This would need to be considered on a case-by-case basis. In doing so it’s essential to consider whether the data collection and processing being proposed is necessary and proportionate to achieve that purpose.  There are many different approaches to testing, so we’d recommend looking closely at the technical solution, the way in which it is conducted, and erring on the side of no or minimal personal data collection.

If you are considering testing as part of a rollout across multiple countries it’s also important to note that the legal basis which can be adopted here in the UK, may differ to that which can be relied on within the rest of the EU.  A feature of the DPA 2018, as well, is the ICO’s employer “supportive” interpretation of it.  One of the reasons why governments in some other countries have, in past weeks, intervened specifically to provide guidance on the topic of testing. 

When looking at purposes, it’s also important to consider whether there will be more than one purpose it’s used for and that you have lawful reasons for all of them. Beware of “purpose creep”.  Whichever option is chosen for the lawful purpose(s), it is important that an adequate audit trail is available.   

Employers will need to ensure that employees know what data is being collected and for what purpose, amongst other information. GDPR requires quite a specific degree of information to be provided in privacy notices if the processing of health personal data is to be considered fair and in accordance with GDPR transparency requirements. In an employment context, such awareness is generally achieved via a privacy notice. Those employers which already have the ability to test or screen employees, e.g. for drugs or alcohol, may find they can rely on their existing privacy notices for COVID- 19 purposes. Alternatively, the content of an existing privacy notice can be updated or supplemented to encompass the processing of the testing data proposed.  

For special category data, employers should also consider whether they need to produce a specific data protection policy or guidance for those handling the data to comply with the DPA 2018 requirements, if the relevant considerations are not already covered in their full data protection policy. Needless to say, all the other aspects of data protection compliance are relevant so employers should also ensure they consider extremely carefully how long, if at all, they need to retain any personal data collected for testing, and how to keep it secure so that it is not at risk of being hacked, lost or subject to unauthorised access.  Arrangements with any third party solution providers should be reviewed to ensure the required protections are in place, as should of course the ability for individuals to exercise their rights of access etc.

Coronavirus and employees' health and safety concerns - whistleblowing and other risks

Health and safety laws mean that employers have a legal duty to ensure, so far as is reasonably practicable, the health, safety and welfare at work of their employees and anyone else who may be affected by the employer’s business. This would include conducting regular risk assessments to identify COVID-19-related risks and taking appropriate measures to control those risks, an approach which is reinforced in the new guidelines. Employees have legal responsibilities, too: to take reasonable care for their own and others’ health and safety and to cooperate with their employer to help them meet their duties. Furthermore, there is an obligation on employees to report concerns they may have about health and safety issues where they reasonably consider that certain health and safety risks arise.

In addition to the “COVID-19 secure” guidelines mentioned earlier, the UK Government and Health and Safety Executive have issued other health and safety guidance which is expected to be updated (e.g. guidance for employers and businesses and toolkit on managing risks and risk assessment at work ). The Scottish and Welsh Governments have gone further than this by publishing Regulations which support workplace social distancing measures. All of this guidance is aimed at supporting employers in meeting their health and safety obligations.

The Government recently updated its headline COVID-19 slogan to “Stay Alert; Control the Virus; Save Lives”. But this is in contrast to its initial, very well-publicised, messaging which strongly focused attention on the need to “Stay Home”, and could be perceived to be in tension with employers’ current plans to re-open their workplaces.  It is anticipated, therefore, that some employees will have concerns about the potential health and safety consequences of returning to work and the Government publication Coronavirus outbreak FAQs acknowledges this could be an issue.  Employers should seek to address such concerns and build employee trust e.g. by involving health and safety representatives in risk assessment planning, and communicating openly with staff on measures adopted to safeguard their health. However, failure to do so may create a risk that employees will feel they have no choice but to take further action, whether that is by: simply failing to return to work; issuing a grievance; blowing the whistle or by seeking to engage in industrial action.

There is much speculation currently regarding sections 44 and 100 of the Employment Relations Act 1996 (“ERA”), which protect employees against suffering a detriment or being dismissed for “health and safety” reasons, namely, where there is a danger which, in the employee’s “reasonable belief”,  is “serious and imminent”. Whether there is such a danger will be a question of fact, which will vary in each case. However it is conceivable that an Employment Tribunal would find that COVID-19 met that test and so, if an employee takes protective or evasive action (e.g. by refusing to work), any consequent detrimental act or omission or dismissal could be unlawful.

Sections 47B and 103A ERA also protect workers who make protected disclosures from detriment and dismissal. Raising a concern relating to health and safety is likely, in most circumstances, to amount to a protected disclosure for the purposes of whistleblowing. (It is also possible that if an employee raises concerns about data protection breaches arising from COVID-19 testing or screening, this could amount to a protected disclosure, provided the concern was raised in compliance with the relevant requirements of ERA).

Reasonable belief for either of the above purposes is a mixed subjective and objective test - did the employee genuinely hold this belief and was it reasonable for them to have held that belief? It is not necessary for the employee to show that a legal obligation has actually been breached; they need only show that they reasonably believed this to be the case.  This is important because most employees cannot be expected to appreciate the finer details of health and safety, data privacy or employment law.

Both the health and safety and the whistleblowing provisions described above protect all employees, regardless of length of service.  Significantly, there is no limit on the compensatory award for a dismissal found to be on either of these grounds, which will be automatically unfair.

Employers should also bear in mind that individuals who suffer from certain health conditions are at higher risk of serious illness or death if they contract COVID-19. Although current guidance suggests those meeting the definition of “clinically extremely vulnerable” must continue “shielding” until end June (and most likely beyond that), requirements imposed by an employer on such individuals to attend work, to not pay them or to dismiss them due to their absence, could amount to disability discrimination.

COVID-19 secure workplaces – comment

It is clear that operating against the background of COVID-19 continues to create new (or is resurrecting some older) challenges for employers. It is also clear that when employees start to return to the workplace, they and their employers will face a very different environment. Flexibility will be required on all sides to ensure that new working practices are implemented smoothly and safely.

For further information on any of the topics covered in this briefing, please do contact the Diane Gilhooley, Paula Barrett, or your usual Eversheds Sutherland advisor, to discuss your particular circumstances.