Yesterday, I actually had a conversation with someone who was not a neighbour over the fence, wasn't my regular postman, or any member of my household. A new Amazon driver delivered a parcel and hung around at the end of the drive to ask if he could take a photo of my car, ending up having a 15 minute conversation.
Maybe it’s just “Cabin Fever”, the stress of being cooped up with close family for weeks with no “space” and no escape, but doesn't it just seem that everywhere on the news, in print, on email or Social Media, everything is just depressingly Coronavirus?
I guess the reality is however, there is no other newsworthy news. Nothing is happening, seemingly the burglary rate will be at an all time low because everyone is home to guard their belongings!
That said, with no real prospect of being allowed to return to normality in the immediate future, whatever that normality may be, some businesses (ourselves included) have started to think about how they'll return to work. We’ve heard of #construction, #hospitality, even some #retail outlets planning how they might reopen their doors, such as;
- only allowing a limited number of people to enter premises
- shift working or alternating staff between working at home or in the office
- checking people’s temperature on arrival at work
- staggered start times, finish times and breaks
- regular disinfection of canteens or communal areas, and
- maintaining that all important two-meter distancing.
As the EU and other countries start their own relaxation of restrictions, the UK Government will no doubt be taking note of their successes or failures and will issue guidance to us all in order to mitigate the risk that COVID-19 takes a new hold.
Whatever controlled return we choose, chances are we'll be processing more personal information about people’s health in order to protect the workplace, colleagues and prevent the spread of COVID-19, but what are the data protection implications of this?
GDPR’s article 9 sets the blanket prohibition of processing any Special Category Data about individuals without explicit consent or other additional measures and controls, and this includes information about a person’s health or wellbeing.
Thankfully however the GDPR does also provide explicit legal grounds in the context of epidemics which would allow employers or businesses to process such health data without the consent of the individual, in Article 9(2) g, h & i.
So what do you need to do to ensure that any plan you put in place, and any health data you might now collect as part of that plan, are lawful, fair and transparent?
1. You’ll want to create a policy specifically for this scenario and make it available to anyone who wants to see it, particularly to the individuals who’s data you’ll be processing. In it you’ll need to describe;
- What information you will collect and why it is necessary;
- The exemption from Article 9(2) that allows you to lawfully process that data without the person’s consent;
- If you’re going to share it within your business or with other parties, with whom you intend to share it, why that sharing is necessary and under what conditions and controls;
- how long you (or anyone you’ve shared the information with) will keep it. Remember, retention periods must be a defined length of time, not just “for as long as we’re lawfully allowed to keep it”. You can make a statement along the lines of “we will keep this information for a maximum of 6 months following the date that the UK Government declared the COVID-19 lockdown as officially ended”.
2. Place a privacy notice in prominent locations where you collect the information, summarising what you have put in your policy, and directing individuals to where they can find and read the full policy.
3. Remember, this information is deemed as particularly sensitive, so it warrants special protection. It should not be stored in a location accessible to everyone and must only be made available to those people who actually need that data!