Up Again Ireland: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Carrying out temperature monitoring and other health checks in compliance with data protection law in Ireland is not straightforward and may create a GDPR compliance risk. However, this risk needs to be weighed against the risks of the impact of a COVID-19 outbreak in the business, both in health and safety and business-continuity terms. The Irish Data Protection Commission (DPC) has published guidance recommending that measures taken by businesses in response to COVID-19 involving the use of personal data, including health data, must be necessary and proportionate and that decisions in this regard should be informed by the guidance and directions of public health authorities.

The Irish government has issued a Return to Work Safely Protocol, which requires employers to implement temperature testing in line with public health advice. However, the Health Service Executive (HSE) has not yet adopted the World Health Organisation recommendation that temperatures should be checked on a daily basis by all employers – other than those in residential care facilities. Concerns expressed by the Chief Medical Officer about the practice include:

  • it has not proved to be effective in past outbreaks;
  • it may have unintended consequences; and
  • those with fever may conceal this by taking antipyretics, which can result in a false sense of security.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

The DPC has advised that, in the current circumstances, employers would be justified in asking employees and visitors to inform them if they have visited an affected area or have been into contact with infected persons.

However, the DPC advice notes that implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality on the basis of a risk assessment. For example, organisations would need to be able to demonstrate that they have already put in place some means of employees and visitors informing the business that they have symptoms or are at risk, such as by email to HR/facilities.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Employers would be justified in asking employees to inform them if they have been diagnosed with COVID-19 or come into contact with infected persons (whether in their household or otherwise).

Antigen testing or mandatory disclosure of test results would require a strong justification. Some businesses are looking at offering voluntary testing without disclosure of test results to the employer as part of a range of return-to-work safeguards – this is a lower-risk solution that would not face the same legal challenges.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

We recommend that identifying details not be communicated to other staff. Both the DPC and the HSE have advised that disclosing the name of a sick employee to other colleagues should be avoided. The DPC further advises that if an employee contracts COVID-19, then organisations should contact public health authorities, who will advise on next steps.

If an individual does contract COVID-19, organisations would be justified in informing staff that there has been a case, or suspected case, in the organisation and advising on risk-mitigation measures. This communication should not name the affected individual(s).

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

The DPC advises that if an employee contracts COVID-19, organisations should contact public health authorities, who will advise on next steps.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Transferring any personal data within a group of companies, either outside of the EEA or otherwise, requires an appropriate international data transfer mechanism to be in place. Personal data cannot be transferred outside of the EEA unless organisations have specific mechanisms to ensure lawful transfer, such as standard contractual clauses or binding corporate rules. Such disclosure and sharing also needs to be communicated to employees in the relevant privacy notice that describes how their personal data is processed by their employer.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Yes, if such data is collected and processed in accordance with the GDPR and the Data Protection Act (DPA).

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

If organisations make a risk-based decision to collect health data as part of their preventive/protective measures, having checks conducted by an independent medical professional in private is likely to be considered as a mitigating factor. Transparency obligations – such as ensuring privacy notices are updated, ensuring appropriate signage, and sending email communications explaining any new data collection – must be considered by employers when they undertake these new measures. In addition, principles of data minimisation and necessity should always be adhered to, and retention periods should be kept to a minimum for all personal data collected as part of these increased measures. Finally, carrying out data protection impact assessments (DPIAs) and documenting decision-making is one of the key steps to comply with the accountability principle.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

An administrative fine against an organisation for an infringement of GDPR may be up to EUR20 million or 4% of the organisation’s worldwide annual turnover for the preceding year (whichever is higher).

Any person who has suffered material or non-material damage as a result of a GDPR infringement is entitled to receive compensation from the controller or processor for the damage suffered (Article 82 GDPR).

Individuals may bring a data protection action for damages against an organisation if an individual believes their rights under the GDPR have been infringed as a result of an organisation’s failure to comply with its obligations under GDPR (Section 117 DPA).

In many ways, while the financial implications of a GDPR or DPA breach are severe, businesses will be even more concerned with the reputational damage of being publicly found to have failed to take into account employees’ privacy rights and to balance them, as required, with other critical health, safety and business-continuity considerations.