Employers should NOT:
- require that employees communicate to them daily a statement of their body temperature or fill out medical sheets or questionnaires
- have visitors or other external persons sign a declaration by which they certify that they have no symptoms of the coronavirus or that they have not recently traveled to a risk zone, etc.
- invite employees/agents to provide information in connection with a possible exposure to them or to the competent health authorities
- facilitate the transmission of information by setting up, if necessary, dedicated channels to guarantee data security and confidentiality
- promote remote working methods and encourage the use of occupational medicine
From the Irish Data Protection Commission:
- Data protection law does not stand in the way of the provision of healthcare or management of public health
- Measures taken in response to Coronavirus involving the use of personal data, should be necessary and proportionate and informed by the guidance of relevant authorities.
- You may process health data, under art 9(2)(i) GDPR once suitable safeguards are implemented (e.g access limitation, strict time limits for erasure, adequate staff training)
- Employers have a legal obligation to protect their employees. Data may be processed under 9(2) GDPR where necessary and proportionate.
- You may process personal data to protect the vital interests of an individual where necessary – e.g incapable of giving their consent.
- An employer should not disclose that an employee has the virus to their colleagues. Instead, inform staff that there has been a case in the organization and request that employees work from home.
- Principles of transparency, confidentiality, security, data minimization and accountability apply.