As COVID-19 lockdowns ease, organisations need to determine their strategy for employees’ safe return to work. It’s becoming clear that gathering personal data, such as location and body temperature, will be key to minimising the spread of COVID-19 during a safe return to work. But as organisations look to keep people safe from the disease, they can’t overlook the need for data privacy.
Regulators have made it clear that data protection laws and regulations still apply. And organisations will need to gain employees’ trust, otherwise they’re likely to refuse to hand over their personal data.
To ensure the privacy of employee data and build trust, there are three core areas organisations must cover as they create a safe return to work plan following COVID-19:
1. Ensure there’s clear consent
The key tenant in collecting employee data is to ensure there’s clear consent, with the ability to opt out. For people to give clear consent, they need to understand how their data will be managed, secured, used and deleted when it’s no longer required.
Not only should organisations review and consider their consumer- and employee-facing privacy policies to ensure adequacy, they should also provide a separate notice at the time of collection. This notice should disclose why the information is being collected, what the organisation will do with it, how long they’ll retain it, when it might be shared with a third party (such as a government agency), and who employees can contact with any questions.
It’s much easier and safer to design privacy into any employee tracking system, rather than treat privacy as a secondary project. Crucially, this is also central to many of the global privacy laws. Already, Google and Apple are being very clear on how they’re ensuring their systems adopt privacy-by-design in their joint work on contact tracing technology. Organisations will need to take a similar approach with any new technologies deployed in response, including tracking systems, underpinning it with privacy impact assessments so you can demonstrate compliance.
To date, with the admirable rush to respond with technology to help deal with the crisis, there could well be inevitable shortcuts being taken that result in a lack of strictly observing the privacy regulations and laws. Regulators are rapidly responding with clarifications, but the new types of personal data being captured, and the sheer scale of the crisis is throwing up new issues that we have not yet considered.
3. Take a proportionate approach
A key question is whether the information gathered as part of the testing and tracking is necessary and proportionate. It’s also vital to only share such sensitive personal information with those who need to access it.
For example, if an organisation needs to inform employees or customers about potential exposure to someone who tested positive for COVID-19, then they must only share the information necessary for people to assess their risk. That means avoiding using names and other identifiable information. Where possible, organisations should consider adopting pseudonymised or anonymised data approaches to reduce the risk of reidentification.
Faced with changing guidance and technologies, it will be vital for organisations to make back to work decisions through a dynamic, data-driven approach that meets the continued needs of regulation and privacy. Such informed decisions will get the largest number of people back to work safely and quickly, reducing the risk of spreading COVID-19 over the short-, medium- and long-term.