We have spoken a lot about WFH. But what about “return to office”. Here are some tips for a seamless return from a privacy perspective. Firstly – be careful with sensitive data. If you are processing test results , these are health data, and hence they are sensitive data. You need an Article 9 condition. The relevant condition will be the employment contract legal basis in Article 9(2)(b).
Demonstrate accountability through a DPIA. This DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective
Collect the minimum amount of data. For example, you might probably only require information about the result of a test, rather than additional details about underlying conditions.
Keep the data accurate. Record the date of any test results to pin it to a particular time period. The health status of individuals may change over time and the test result may no longer be valid.
Keep lists of affected employees very securely. Work with your HR teams or other site leaders to ensure restricted access, password protection etc.
Transparency is crucial so a privacy notice to staff will be required prior to processing. This doesn’t have to be “legalistic” it could be beneficial to write a small note to colleagues to let them know how you plan to support them and their families in case of infection.