The COVID-19 pandemic has had – and will, for the foreseeable future, continue to have – an impact on the balance of the data relationship that exists between employers and employees, both in terms of return to work surveillance and remote work monitoring.
Return to work monitoring
We can see this data collection shift in the steps employers are taking to provide a safe working environment as part of planning for and managing a return to the workplace. Risk assessments are one of the government's five key steps that employers are expected to take as part of seeking to provide a workplace that is as safe as is reasonably possible in the circumstances for employees.
As part of this risk assessment process, employers need to know and be mindful of the risks to, and needs of, different categories of employees, including those who are at higher risk and vulnerable, or who live in a household with someone who is vulnerable. Employers are also expected to take reasonable measures to protect employees from those colleagues or visitors to their premises who may need to self-isolate, either because they have symptoms of COVID-19 or have been exposed to someone who has symptoms.
For these reasons employers need to ask questions and potentially collect specific additional employee information where that is needed for health and safety reasons. The UK Data Protection Act 2018 (DPA18) does not necessarily prevent the collection of further information specific to employees' health. Indeed, in the context of COVID-19, the UK Information Commissioner's Office (ICO) has confirmed that it would be reasonable to ask employees to let employers know of their specific situation or if they are experiencing COVID-19 symptoms or have tested positive, in the context of the employer's social protection obligations.
That does not mean, however, that data protection considerations can be put to one side. While it may be appropriate to ask wider questions of employees, the data protection principles – in particular those concerned with fair, transparent and proportionate processing – still apply.
In this respect, the ICO has recently published updated guidance setting out separate key data protection steps organisations should take to help comply with the principles:
- Consider the purpose and what actual data collection steps are necessary: Determine whether specific information collection is necessary as part of safe working measures, whether different options actually contribute to the objective of a safer workplace, and whether the same end can be achieved without collecting personal information.
- Keep data collection to a minimum: Collect only what data is needed concerning people's symptoms and test results to implement appropriate safe workplace measures.
- Be clear and transparent with employees: Explain what you are collecting, why you wish to use that information, and what the implications of that may mean in terms of your decisions about staff (for example, using a clear privacy notice).
- Treat people fairly: Ensure that your approach to decision-making using health information of employees is fair and does not lead to any form of discrimination.
- Secure, confidential and limited storage: Store collected data securely and only for as long as it is needed under the current crisis. Define your retention policy for specific information so that it is kept under review and the data is deleted or anonymised at the point it is no longer necessary.
- Respect information rights: Make sure that employees remain informed about their rights in relation to their data, including (among other rights) their rights of access and rectification.
These principles are underpinned by the entry point for compliance, which is establishing the lawful basis for processing. For commercial employers, this is likely to be where that processing is necessary for the purposes of the employer's legitimate interests, provided these are not overridden by the rights, freedoms and legitimate interests of their employees. In the case of processing special category (sensitive) personal data, which includes employee health data, the lawful grounds are likely to be where the processing is necessary to meet the employer's social protection obligations.
In certain circumstances, particularly where there is a large workforce, this will involve collecting and processing health data on a large scale. This gives rise to a higher likelihood of risk to individuals, triggering the need to carry out and document a prior data protection impact assessment (DPIA).
A DPIA will also be needed where collected employee information is used to monitor or profile the health of the workforce, or where more intrusive technologies are being considered to assist with screening and testing. This may include technologies such as digital temperature checks or any proposal to use thermal cameras, proximity tracking apps, or the use of CCTV to ensure employees are abiding by social distancing or hygiene standards.
Any assessment of technology solutions, particularly in terms of their proportionality covered in the first step above, will need to assess how these work, the data they collect and, in the absence of a less privacy intrusive alternative, whether they are in fact an effective and reliable option or may present false positive results leading to a risk of inaccurate decision taking about individuals.
Remote work monitoring
Many of us switched to remote working during lockdown, and employers had to be agile in implementing new tools and measures to enable that transition. The easing of lockdown restrictions will not necessarily mean an immediate return to the workplace, particularly for those who are vulnerable, at risk or who need to self-isolate, or where certain employers are considering to a longer term shift to a remote working model.
This transition to remote working has also led to increased levels of personal data collection and processing by employers. Those watercooler conversations we would previously have had may now be recorded chat transcripts held on the company networks, and our old face to face meetings have been replaced with online video that is captured against the backdrop of the employee's home and family life and/or audio calls, and where there is the ability to record and retain content.
Pre-lockdown employee monitoring measures were typically limited to ensuring acceptable use of communications equipment and technology in accordance with the employer's policies and standards. The applicable regulatory ICO and EC guidance relevant to ensuring proportionality and transparency with employees in relation to such processing is longstanding.
However, technology now offers even more options for employers looking to monitor and measure employee productivity and performance which the lockdown and increased remote working have thrown into the spotlight. This includes tools to check the amount of time employees are actually working – for example, software enabling remote webcam activation to see if the employee is actually sitting in front of their monitor, or the use of software that logs keyboard strokes or mouse clicks.
The European Data Protection Board is planning to publish guidelines for teleworking tools and practices in the context of the COVID-19 outbreak. However, this work has been delayed in favour of finalising more pressing COVID-19 related guidance on geolocation and other tracing tools, and the processing of personal data for research purposes. In the meantime, the existing monitoring guidance – including the ICO's key steps above – still applies and is just as relevant to the assessment of new technologies intended to monitor employees who are currently remote working or who will continue to do so.
For both return to work or stay at home monitoring, the ICO's key steps will apply to any proposed solution deployment. In particular, there will need to be a prior and careful assessment of the proposed personal data processing under the first step above. It is worth bearing in mind that the more intrusive the technology, the harder it may be to demonstrate lawful grounds for the processing given the overriding legitimate rights or interests of employees that need protecting. It will also be more difficult to demonstrate a clear necessity for that processing for social protection purposes.
It is also worth noting that this assessment is UK specific and other local employment laws will affect the determination for employers operating across different jurisdictions. This is particularly the case in any EU Member States where local restrictions relevant to the processing of health data, employee monitoring, and co-determination rights under employment law will need to be taken into account.