Employers do have a general legal obligation to provide a safe work environment for its employees and these days, employees will generally include part-timers and interns.
Now with the outbreak of Covid-19 on a pandemic scale, there is now a new norm for employers and their employees. These business continuity measures have included working from home, telecommuting and "split teams".
In the midst of all these additional measures, employers still need to be mindful about their personal data protection obligations under their local data protection laws. This article will set out the data protection issues (based on the 4 stages of the information life-cycle) that employers need to deal with when putting in place their Covid-19 measures for their employees:
When collecting personal data from their employees as part of their Covid-19 measures, employers need to take into account the following:
a. When determining what kind of personal data (e.g. daily temperature checks and travel history declarations) needs to be collected, employers need to ask themselves what personal data will they need to fulfil their purposes. For the purposes of Covid-19, employers can collect such personal data to comply with any other requirements imposed by the other authorities such as the health ministry. It is important not to over-collect as this has implications in the subsequent stages of the information lifecycle.
b. When executing the collection of the personal data, there is a need to inform/notify the employees of the purpose(s) for the collection, use and disclosure of the personal data. It is reasonable to rely on some of the exceptions to consent because it is necessary to respond to an emergency that threatens the life, health or safety of other individuals. But employers need to be mindful of the other data protection obligations.
c. When deciding how to collect the additional personal data (e.g. using a physical/electronic form or a QR code that links to a form for entering the personal data).
It must be noted that because this is the starting point of the information lifecycle, what happens at this stage will have implications in the rest of the stages of the information life cycle. The risk of excessive collection at the start, coupled with little or no security measures such as leaving a list of visitors to the employer’s office with their personal data and temperature readings exposed at the reception counter of their office could create risks of misuse, excessive disclosure/transfer, over-retention and forgotten disposal if a risk assessment exercise (such as a data protection impact assessment) was not conducted at this stage.
When using/processing such additionally collected personal data, employers need to ensure that there are controls and procedures in place to ensure that these additionally collected personal data is only being used/processed by authorised personnel for the purposes set out in Stage 1. It is important to assign an owner to the personal data of visitors and clients that are collected and processed. It could be the admin department that oversees the office reception.
It is best practice that these controls come in a single or a combination of technical, administrative and physical measures. It is important that the amount of measures in place will be dependent on the amount of and the type of personal data that is collected and/or processed:
Technical: electronically completed travel declaration forms be captured and stored in a folder that is only accessible through an implemented internal access control matrix. Such a matrix should be as all-encompassing as possible to include the duration and validity of access.
Administrative: policy or SOP documentation in place for the rules of using the completed travel declaration forms. These rules should include the need for an employee to report to a single designated person within the employer (e.g. HR) should he/she contract the Covid-19 and the employer would be required to disclose the same to public health authorities. Such policy or SOP documentation should include who within the employer is authorised to access those travel declaration forms and that employees are not allowed to engage in any indiscreet conversation between themselves regarding any personal data that is collected in those completed travel declaration forms.
Physical: putting in access controls like all completed physical travel declaration forms to be kept under lock and key by HR or if employees are required to take their own temperatures and self-declare on a sheet that is left at the reception area. For example, the physical measures could be done in such a way that they can only see their own entries and not the entries of their colleagues. There should also be no declaring on behalf of any employee as each employee should only be responsible for his/her own self-declaration.
Employers will need to establish the stakeholders they will need to disclose such additionally collected personal data. The first will be the external public agencies such as the health authority or immigration or border control authority. Employers must have a process in place for such disclosure to public agencies and/or their contact tracing officers and be able to cooperate with them to provide the necessary assistance and support. Do note that there are other employment-related obligations that the employer will need to abide by as well under such circumstances but this is outside the scope of this article.
The next stakeholder will be the employee (i.e. the data subjects themselves) as all data protection laws do grant the data subjects to exercise their rights of access and/or rectification. As these are legal requirements under data protection laws, the employers must know what to do and set procedures in place to handle these requests. It is important therefore to have a set of FAQs being prepared and available upon the employees’ request. That being said, how the employer deals with the exercise of the employee’s rights of access and/or rectification will depend on the nature and extent of the request. The employer must comply with any such rules against (if any) of acceding to an access or rectification request made on behalf of an employee.
Employers will also need to know whether these personal data are transferred out of their local jurisdiction. This is especially important if they are using electronic means such as Google Forms to collect the personal data from their employees. Where such a situation occurs, employers must ensure that they perform due diligence on these third parties and ensure that there is a contract in place with these third parties.
All data protection laws will state that personal data cannot be stored/retained forever and there must be an end-date for all personal data. This is one aspect that is often overlooked because it is always “after the event”. These are some items employers need to take note of at this stage:
Know the storage locations for both physical and electronic documents: It will be helpful to ensure that all collected travel declaration forms be centralised at one or two locations. Put in procedures for ensuring that all completed travel declaration forms do end up in one or two designated locations.
Know that there is a retention limit (even if it is unknown at this stage): Every completed travel declaration form has a shelf-life. While this is something that may not be on employers’ minds at the time of writing this article, employers do need to bear this in mind.
Remember to delete/dispose: While this will most likely not be on everyone’s minds right now because everyone is trying to put in measures to contain the spread of the virus, disposal or deletion will be something that everyone will eventually have to do. Importantly, employers must set a task to designate someone to delete/dispose of these completed forms. This process should be supervised by someone and carried out eventually.
It is hoped that all that has been stated above provide some useful advice for employers as they handle their employees’ personal data during this Covid-19 situation. Where is the DPO in all of this? In my view, the DPO is present in all of the 4 stages, working alongside the HR or any other department who has been designated to handle this additional portfolio to handle these issues and ensuring that the back-end procedures are set up and in operations.
Article contributed by:
Josiah Poh. LLB(Hons), ACIS, ACS, CIPM, GRCP, CIPP/A, CIPT, FIP
Senior Manager (Consultancy & Legal)
Data Protection Officer
Straits Interactive Pte Ltd
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The novel coronavirus, or COVID-19, has been receiving global attention, and co…
On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID…
Here are some general tips that your organisation can follow at each stage of i…