Working with COVID restrictions

As we start 2021, we find ourselves in a third national lockdown due to the increasing rates of infection of COVID-19. Many businesses will be in the position of the majority of their staff working from home, with only essential staff attending the workplace. In this article we recap on a few key employment and data protection issues that may arise and how employers should deal with them.

Employees working from home

Review your data protection impact assessment (DPIA)

Employers that have implemented home working since the first lockdown in March 2020 should consider revisiting their data privacy impact assessment (DPIA) to ensure on-going compliance with data protection legislation. In particular, employers should focus on whether any new risks have been identified since they carried out their initial DPIA some 8 months ago.

Things to consider include:

• Reviewing your working from home practices;
• Whether there have been any data breaches since employees have been working from home; and
• What new risks (if any) arise from children home schooling and partners also working from home in what could be a small space?

Ensure employees are trained on data protection

Employers should ensure that employees working from home have undertaken recent training on data protection legislation, their obligations as employees, and be familiar with their employer’s data protection policies.

Keep data confidential and reduce the risks of data breaches

Employees will be processing personal data from outside of the workplace. They must keep that data secure and ensure that it cannot be accessed by members of their household. This is easy enough if all work is done on a password protected computer, but employers should also ensure that any documents that are printed off are kept and disposed of securely. This may require employers to provide lockable storage and paper shredding facilities for employees.

What if an employee is using a personal computer to access the work system remotely? What if the personal computer is also used by other family members. In these circumstances, the employer should ensure that employees are unable to save work documents locally or at the very least are told not to. The employer should consider whether it would be better to provide a company laptop for work purposes only.

Another issue that often arises is the increased risk of potential data breaches associated with employees mainly communicating by email. It is all too easy to accidently copy in the incorrect recipient to an email. Employees should, of course, exercise due care and check carefully before hitting send, however employers should consider other safeguards such as implementing email delivery delays so that emails are not sent instantly, but are instead held in the outbox for a few minutes to enable employees to delete a message before it is sent. Another alternative might be to change email settings so that email addresses cannot be populated by auto fill and that employees have to manually enter the recipient’s email address each time (though this may not be popular amongst staff!)

Employees working abroad

Employers may also be receiving an increasing number of requests from employees to work from a country outside of the UK. There are many things to consider in this situation, including potential tax and immigration implications, but these go beyond the remit of this article. From a data protection perspective, a strict reading of the GDPR suggests that such arrangements could amount to data being transferred internationally, thus requiring additional safeguards being put in place. However, employers will be pleased to know that ICO guidance on the GDPR states that where the employee is employed by the UK company, there is no international transfer.

Employees attending the workplace

Temperature testing

For employees that cannot work from home and are required to attend the workplace, employers must put in place measures to ensure that social distancing guidelines can be adhered to. These may include implementing one way systems, attendance rotas, erecting barriers, providing face masks, hand sanitiser and access to hand washing facilities and ensuring that workplaces are not overcrowded thus making social distancing impossible.

Some employers may go further and want to introduce temperature checks for all staff and visitors. To do this, they will need the individual’s consent to take their temperature and for most employees this is unlikely to be an issue. Employees may be reassured by the fact that everyone is undergoing the same temperature test and that their employer is taking steps to protect them from contracting COVID-19 in the workplace. Businesses must bear in mind that the results of any temperature testing will be ‘special category’ personal data relating to health under the UK GDPR and Data Protection Act 2018. As such, the data must be handled with particular care and with additional safeguards. Employers should:

• inform staff of the reason for the test;
• explain what the result will be used for;
• state who the data will be shared with and for how long the test result will be kept; and
• explain what decisions will be made based on the test result.

Consideration should be given to the fact that the government has warned that temperature testing by way of thermal cameras and temperature screening products may not be sufficient to screen for COVID-19, since many only record skin temperature and not core body temperature. Also, a fever is only one of the symptoms associated with COVID-19 and 1 in 3 people with Covid-19 are asymptomatic.

Our advice to employers that wish to temperature test employees and visitors is to take legal advice before implementing such a policy. If you do introduce temperature testing, make sure you update your data privacy notices to cover the personal data collected from these tests. Only keep records of results for as long as you need them and keep the information confidential; only disclose to those within your organisation on a need-to-know basis and anonymously if you can.

NHS Track and Trace

Employers may want to ask and encourage employees to download and use the NHS track and trace app, however, employees cannot be forced to download or use the app. Whilst Regulations introduced in September 2020 made it a legal requirement for those in hospitality, leisure and community premises to collect data from customers, staff and volunteers for contact tracing purposes, there is no legal requirement for individuals to use the NHS track and Trace app. Whilst it could be argued that it’s a reasonable management instruction, employers should communicate with employees if they have concerns using the app to try to understand the reasons behind their concerns. Some employees may be concerned about how their data will be used and who it will be shared with, others may consider it to be a form of ‘Big Brother’ surveillance and therefore an infringement of their civil liberties and human rights.

Employees shielding or self-isolating

Employees that are ‘shielding’ can be placed on furlough if they are not able to work from home. A failure to consider shielding for such employees could result in disability discrimination claims against the employer.

In addition, there is also a mandatory requirement that employers do not knowingly require or encourage someone who is being required to self-isolate to attend the workplace. If they do, employers will be liable to a fine of up to £10,000. Employees self-isolating at home may also be eligible for furlough if they are clinically extremely vulnerable. For most employees that are on sick leave or self-isolating as a result of coronavirus, they may be entitled to statutory sick pay. Government guidance states that furlough leave is not intended for short-term absences from work due to sickness.