by John Lloyd, Practice Lead at Securys.ie
As we continue to navigate the waves of the pandemic, employers are collecting more and more information about the health and private lives of their staff. It’s understandable, companies are trying to make workplaces safe and keep their people well and happy.
We have seen the rise of temperatures being taken, wellness surveys, Covid testing and now the discussion about vaccinations and the “no jab, no job” debate, so what is an employer entitled to ask about the health of their people and who should have access to that information?
All this health information is considered especially sensitive under data protection laws, requiring extra justification for its collection and additional safeguards to protect it.
The coronavirus has blurred the lines between public health and occupational health. As a contagious and potentially fatal disease it is reasonable for any responsible employer to take measures to control the risks of spreading the virus and protect their workforce.
However, it is important to remember that some of the measures you may wish to introduce could be considered intrusive. Have you carried out a data protection impact assessment to demonstrate why you are collecting this information and that you have taken the right precautions?
Extra security and deletion dates
Health and wellness information is the domain of occupational health, not HR. If you are not a health professional, you should not have access to this kind of information about individuals within your organisation. Consider what you actually need to know and how you can discover this most effectively, with minimal impact on people’s privacy – for example, by conducting an anonymous survey.
Health information needs to be treated with extra security. This might mean storing less data – only the information that’s absolutely necessary – and taking more care about restricting access to that data.
It might involve reviewing deletion dates, so sensitive data is only kept for as long as is strictly necessary. Covid test results, for example, should be deleted within two weeks. This is risky data to collect and store. Consider what it might mean to staff morale and loyalty if sensitive details are widely shared.
The post-pandemic plan
While it might be important to collect some sensitive personal data in the face of the pandemic, you will also need a post-pandemic plan to stop data collection and make sure it will be deleted securely. Restoring and renewing ways of working is also an opportunity to reset data collection and management.
Meanwhile, with remote working set to continue for some time, we are seeing more and more intrusion into people’s home lives. We may all laugh when Zoom meetings are interrupted by a child needing help with their homework but when those meetings are also being recorded, there is a risk that you are collecting more information than you need (or bargained for). Staying in touch with people working remotely is vital for corporates, as well as for individual mental health, but the boundaries between work and private lives also need to be respected. Giving people choice – and the ability to say ‘no’ – is just as important as supporting them through this difficult time.
Privacy breaches can attract costly fines, but the real cost might be in losing your best people and having to attract new recruits, if trust in the company is lost.
We know from research that employees value their privacy at work as much as in other areas of life. Bear that in mind when asking everyone to keep their cameras on… even if the boss’s cat does make those calls that bit more entertaining.
About the author
John has worked in a wide variety of leadership roles in diverse sectors including media, healthcare and non-profit. He enjoys realising complex but rewarding projects for various sized organisations in his role as Practice Lead at Securys, the UK’s largest specialist data privacy consultancy.