Handling coronavirus medical information – new guidance from ICO

Employers may collect medical data from their staff as a result of the coronavirus pandemic, whether it’s a report that the employee has had the illness or something more specific. How should you manage this information?

Confidential information

In order to manage the risks, you might now need to know a little more about your staff’s health than you would in normal operational circumstances. For example, some key workers will be encouraged by their managers to attend testing stations, and others might need to share with their employer that they are more vulnerable to the virus due to an existing health condition.

The Information Commissioner’s Office (ICO) is advising employers to prepare for how they will manage this sensitive data, and to help it’s published a set of frequently asked questions. It emphasises the restrictions that surround medical data, not only in the form of coronavirus test results, but also less formal information, e.g. lists of those who suspect that they have had the virus.

Warning. The law in this area is complex, and the penalties for getting it wrong are substantial.

Special status

Health data has the protected status of “special category data” under the GDPR. As such, if you keep medical information you must have particularly good reasons for doing so, either for the protection of staff or others such as clients in your care.

Tip 1. If you plan to undertake testing, or collect test result information, having a data protection impact assessment will give you some protection should you be accused of wrongdoing at a later date.

Tip 2. The ICO has provided a template to help you. It asks you to describe:

• the activity being proposed
• the data protection risks
• whether the proposed activity is necessary and proportionate
• the mitigating actions that can be put in place to counter the risks; and
• a plan or confirmation that mitigation has been effective.

Tip 3. You can request staff to attend a testing station and report their results but check with your HR advisor whether this process is covered by your current terms and conditions of employment.

Basics

For many organisations, their only foray into coronavirus data will be the keeping of a list of employees who say they have had the illness and maybe using the information to enable staff to know if they could have been exposed to the virus.

Tip 1. There are rules, even for keeping a list of employees affected by coronavirus. Before doing so consider:

• whether it is necessary
• how you will keep the information secure
• how to ensure that such lists do not result in any unfair or harmful treatment of employees; and
• how you’ll prevent the data being used for any purpose other than those which staff would reasonably expect.

Tip 2. The key to compliance is to only collect the minimum amount of personal data needed to keep staff and customers safe.

Tip 3. You’ll need to inform staff if their colleague has a suspected or confirmed case of coronavirus, but don’t share more information than is strictly necessary. If possible, don’t even share the name of the affected staff member.