15th October 2020
COVID-19 and Data Protection
Some employers, despite protocols in place, are still uncertain as to whom, if anyone, they should contact in the event of a confirmed case of COVID-19. With all the different guidelines this is quite understandable.
If an employee advises you they have COVID-19, or symptoms, the first question you should ask them is have they contacted their General Practitioner and what were they advised. Secondly who have they been in close contact with at work. If this is at work they should be either sent to the isolation area in the premises or sent home immediately whilst they contact their doctor.
Close contact includes anyone who has been situated within 2 metres of another person for more than 15 minutes.
Can an employer notify their employees of a suspected/confirmed case?
Employers have a duty of care under the Safety, Health and Welfare Act to protect their employees. Therefore, there is a legal basis to process personal data, including health data, where is it deemed necessary and proportionate to do so.
According to the Data Protection Commission, “Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities”.
For this reason, we would recommend employers require their employees follow the guidance and/or directions of public health authorities/General Practitioners in relation to any contact tracing.
Any disclosure of the identity of affected individuals must be clearly justified.
Where advised an employee is positive, if possible, the employer should notify the close contacts identified, avoiding the disclosure of the relevant person and by simply advising the employee that they have been in contact with an individual who has been a confirmed case and they should be isolated and contacting their GP.
So, whilst there is some legal basis for processing personal data related to an employee’s health, disclosing of this information to other employees should be limited and proportionate in order to avoid a breach of GDPR.