When the Return to Work Safely Protocol was published in May, we outlined the main considerations for employers.
You can read this piece here.
In this piece, we outlined that General Data Protection Regulation (GDPR) was a concern for employers as implementing the protocol would require them to process employee data, but there was no guidance on how employers could ensure compliance with GDPR guidelines while adhering to the protocol as the two contravened in some instances.
In response to this the Department of Business, Enterprise and Innovation (DBEI) and the Data Protection Commission (DPC) published guidelines on June 26th clarifying how employers can implement the recommendations under the protocol while adhering to GDPR obligations.
The guidance document has been prepared to assist in providing guidance and clarification to Employers where the measures set out may result in the processing of data.
Some key points from the document include:
Contact tracing logs
The protocol recommends that employers keep a log of contact/group work to facilitate contact tracing.
The DBEI document clarifies that the purpose of maintaining logs is to facilitate the HSE’s officiation contact tracing procedures. The information on these logs should only be used for contact tracing purposes.
Employers should ensure that all medical information is treated in a strictly confidential manner. It is important to remember that medical information falls under the sensitive category of Special Category Personal Data under the GDPR and data protection laws. This means that it attracts even more protections than standard personal data due to its sensitive nature. One simple way of achieving this is by having a designated person(s) in place to oversee this process in the workplace (i.e. Need-to-Know basis).
The Pre-Return to Work Form
The protocol recommends that employers establish and issue a return to work form and that this is returned by employees 3 days minimum prior to returning to the work premises. The form is intended to highlight to employees the symptoms of COVID-19 before they re-enter the workplace and so reduce the potential risk of infection between staff.
The Data Protection Commission recommend that the return to work forms should be tailored to collect the minimum amount of information necessary to be effective and should generally not be processed for any other purposes. Images and temperature readings are not necessary, for example.
The DBEI has advised that the return to work forms should not be retained once the employee has returned to the workplace.
Currently the Public Health Advice has not implemented mandatory temperature testing in the workplace
The Data Protection Commission has advised that if an Employer does decide to implement temperature testing as a safety protocol they must be in a position to justify any consequent use of the personal data resulting from temperature testing.
Where such measures are under consideration, employers should remember to consider whether a Data Protection Impact Assessment (“DPIA”) might need to be carried out before any personal data is processed in conjunction with the measure. Further information on DPIAs can be found here.
For more information on the Return to Work Safely Protocol, or any other employment queries, please contact one of our employment law experts, Marc Fitzgibbon at email@example.com, Emer Murphy at firstname.lastname@example.org or call 01 644 5800.
For more information on GDPR or any data protection concerns, please call 01 644 5800.