In recent weeks, employers have been busy implementing the recommendations set out in the Government’s Return to Work Safely Protocol, in preparation for employees returning to the workplace. Somewhat surprisingly, the Protocol makes no reference to the need to comply with data protection law, yet the measures recommended by the Protocol involve the processing personal data, in particular health data.
There has been a growing concern amongst employers in regard to how to ensure compliance with data protection law when implementing the protocol, in particular in relation to the issue and retention of pre-return to work questionnaires; use of contact tracing logs; and temperature testing. The Department of Business, Enterprise and Innovation (DBEI) and the Data Protection Commission (DPC) have now published guidelines clarifying how employers can implement the Protocol in a manner that complies with their data protection obligations.
The guidelines clarify that:
Temperature testing should not yet be considered a requirement under the Protocol. If employers are carrying out such testing, for instance in high risk workplaces, then they should consider conducting a DPIA and ensure the testing is necessary and proportionate.
Pre-return to work questionnaires completed by employees should collect the minimum information necessary and should not be retained once employees return to the workplace.
Where contact tracing logs are kept by an employer in respect of employees who are in close contact for extended periods of time, where social distancing is difficult to maintain, such logs should generally only be retained for the purpose of facilitating the HSE’s official contact-tracing procedures and to act as a memory aid for employees regarding close contacts. The data should only be retained for as long as necessary for this purpose. Employers should avoid disclosing information relating to a particular employee’s COVID-19 diagnosis to other employees.