While over a year ago, employers engaged in a considerable undertaking to transition their workforces to a remote environment, many now begin the process of returning to the office. As the COVID-19 vaccination drive continues to progress at a steady pace, employers are considering how they will balance the need to provide a safe working environment while upholding the rights of their employees.
At present, much of the guidance released in 2020 still stands. The UK Government website on Work and Employment Support page states that “everyone who can work from home must do so”. The Irish government’s COVID-19 rules are the same. However, some government bodies, including Ireland’s Department of Business, Enterprise and Innovation (DBEI) and the Department of Health, are developing forward-looking guidance to enable organisations to plan for employees’ return. In relation to data protection, both the UK Information Commissioner’s Office (ICO) and the Irish Data Protection Commission (DPC) also published supplemental guidelines (UK and IE) to help employers be mindful of key considerations.
Employers are reminded to:
- Avoid the unnecessary disclosure of health information or status.
- Consider that subject access request (SAR) response time frames remain legally binding, where an organisation is struggling to meet the deadline; the DPC advises that SARs may be provided in stages if necessary.
- Ensure that they identify and carefully choose their lawful basis for processing. In many cases, this lawful basis will be legal obligation.
- Only use the minimum amount of personal data necessary to achieve your aims.
- Document decisions taken and the rationale for any new measures put in place.
We expect that updated guidance will be made available as new challenges become evident in 2021. In particular, we expect to see issues arise in respect of disclosures of vaccination status.
As employers consider what proportionate measures are, many may have considered incorporating a disclosure of vaccination status to help identify which employees can return first and to put in place appropriate measures. While this may seem like a reasonable request, due to the sensitivity of the information and the difficulty in mandating this disclosure, employers should conduct a risk assessment to identify if the particular role or working environments warrants this level of disclosure. As with all health and safety and data protection requirements, employers must consider not only the rights of the employee but also the rights of other individuals. The need to ask for vaccination status will usually be dependent on the ability to balance the rights of other individuals, and each organisation should still consider what the process will be for accommodating unvaccinated or vulnerable employees. Even where the disclosure is deemed to be permissible, it is not without legal implications.
Risks when processing vaccination status
Requiring a disclosure of vaccination status can inadvertently disclose other information, such as health conditions, or philosophical or religious beliefs, which may give rise to privacy infringements or even discrimination. As such, it is critical that within their return-to-office planning, employers consider how potential data protection and privacy issues will be handled and what the policy decisions will be around these. Employers should also be mindful when balancing the rights of their employees that absolute privacy cannot be guaranteed; however, all employees are entitled to a reasonable expectation of privacy in the workplace.
While this period brings with it a sense of hope and a return to normality, it also presents a number of challenges as employers must handle greater volumes of sensitive data and navigate new issues. Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations to ensure compliance with the latest data governance regulation. We offer a range of data governance services, including audit and assessment, compliance support, and robust training programmes to help employees and senior management facilitate a data protection culture within your organisation. For more information please feel free to contact our advisers, who would be more than happy to help.