CORONAVIRUS - OCCUPATIONAL HEALTH - 03.06.2020

Handling coronavirus medical information

Employers may collect medical data from their staff as a result of the coronavirus pandemic, whether it’s a report that the employee has had the illness or something more specific. How should you manage this information?

Confidential information

In order to manage the risks, you might now need to know a little more about your staff’s health than you would in normal operational circumstances. For example, some key workers will be encouraged by their managers to attend testing stations, and others might need to share with their employer that they are more vulnerable to the virus due to an existing health condition. The Information Commissioner’s Office (ICO) is advising employers to prepare for how they will manage this sensitive data, and to help it’s published a set of frequently asked questions (see The next step ). It emphasises the restrictions that surround medical data, not only in the form of coronavirus test results, but also less formal information, e.g. lists of those who suspect that they have had the virus.

Warning. The law in this area is complex, and the penalties for getting it wrong are substantial.

Special status

Health data has the protected status of “special category data” under the GDPR . As such, if you keep medical information you must have very good reasons for doing so, either for the protection of staff or others such as clients in your care.

Tip 1. If you plan to undertake testing, or collect test result information, having a data protection impact assessment will give you some protection should you be accused of wrongdoing at a later date.

Tip 2. The ICO has provided a template to help you. It asks you to describe: (1) the activity being proposed; (2) the data protection risks; (3)  whether the proposed activity is necessary and proportionate; (4) the mitigating actions that can be put in place to counter the risks; and (5) a plan or confirmation that mitigation has been effective (see The next step ).

Tip 3. You can request staff to attend a testing station and report their results, but check with your HR advisor whether this process is covered by your current terms and conditions of employment.

Basics

For many organisations, their only foray into coronavirus data will be the keeping of a list of employees who say they have had the illness and maybe using the information to enable staff to know if they could have been exposed to the virus.

Tip 1. There are rules, even for keeping a list of employees affected by coronavirus. Before doing so consider: (1) whether it is necessary; (2) how you will keep the information secure; (3) how to ensure that such lists do not result in any unfair or harmful treatment of employees; and (4) how you’ll prevent the data being used for any purpose other than those which staff would reasonably expect.

Tip 2. The key to compliance is to only collect the minimum amount of personal data needed to keep staff and customers safe.

Tip 3. You’ll need to inform staff if their colleague has a suspected or confirmed case of coronavirus, but don’t share more information than is strictly necessary. If possible, don’t even share the name of the affected staff member.

For a link to the ICO guidance and for its template form, visit http://tipsandadvice-healthandsafety.co.uk/download (HS 18.19.07).

Before you start collecting, analysing, storing and acting upon coronavirus data from your staff, ensure that you’re familiar with the Information Commissioner’s Office advice. There are significant penalties for getting this wrong.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719