Health data is “special category data” so employers must follow additional safeguards when processing this.
The Information Commissioner’s Office (ICO) has published guidance on coronavirus which indicates that they will take a largely pragmatic approach, as they understand that: “resources, whether they are finances or people, might be diverted away from usual compliance or information governance work”. It may, for example, not be practical to comply with a subject access request within one month. However, employers must still do all they can to be mindful of data protection obligations.
While it may be reasonable to ask employees where they have recently travelled from or whether they are currently experiencing symptoms, employers should not collect more data than they need and should keep data for no longer than required. For example, routinely taking the temperature of employees is not currently recommended by Public Health England or the government and, as such, it would be difficult for employers to justify collecting or keeping such information.
If an employee has a suspected or confirmed case of coronavirus, the employer has a duty to inform their colleagues but should refrain from naming the affected individual in the interests of protecting their privacy.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice