Employers need to tread carefully when it comes to just how much information they disclose to staff about Covid-19 in the workplace or risk breaking GDPR law.
Likewise, bosses who are demanding their employees disclose their vaccination status or implement “no jab, no job” policies must also tread carefully.
That’s the warning from Aberdeen employment law specialist Grant McGregor, based at Burness Paull.
Employers could face prosecution for breaking GDPR law on Covid
It’s a topic that can spark debate. If someone in the workplace tests positive for Covid, should staff be told their name?
But disclosing the person’s name – without fulfilling a specific set of reasons – is breaking the General Data Protection Regulation (GDPR) law and employers could find themselves facing a criminal prosecution.
Mr McGregor said: “When you’re speaking about somebody’s health data, whether or not they’ve contracted Covid, it’s defined under the law as special category data.
“The law is a lot more prescriptive about when you can collect that sort of data and what you can do with it.”
He said employers may have reason to need to know staff members’ vaccination status, or, if they have contracted the disease, how to manage time working from home or statutory sick pay.
“That’s the key thing when you’re thinking about the disclosure of people’s personal data, particularly sensitive personal data – is it really necessary for us to disclose it?,” he said.
“There can be situations where you need to provide adequate information to protect their health and safety.”
Warning not to ‘name names’
Mr McGregor believes the best move for employers would be to not disclose any names and instead just warn fellow employees so they can take the necessary precautions.
He said: “You might have details of who exactly has contracted Covid but you don’t need to go further and share that data more widely than you absolutely need to.
“More often than not, it’s going to do the job to protect yourself to say someone has contracted it without going on to name names.”
Data protection must be followed
Disclosing the name of someone without meeting specific guidelines would lead to a breach of GDPR.
GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU) and aims to protect from privacy and data breaches.
Compliance with UK data protection rules is overseen by the Information Commissioner’s Office (ICO).
Mr McGregor said: “You would be looking at the provisions of the GDPR and also the Data Protection Act 2018. Those are the key pieces of legislation.
“It says you should only be disclosing this data where it’s absolutely necessary.
“There’s a specific set of reasons where you can disclose this kind of data, one of which is where it’s to discharge obligations you’ve got to other employees such as protecting their health and safety.”
What penalties can employers face if they breach GDPR law on Covid?
However, if an employee feels there’s been a breach of their data protection they have a right to make a complaint to the IPO. And while the information watchdog has so far taken a “pragmatic” approach to breaches or complaints during the pandemic, the risk still exists.
Mr McGregor said: “They can say they think there’s been an infringement of their data protection rights because their employer has shared more information than they ought to have and ask for it to be looked into.
“The ICO has a wide range of powers available to it, up to and including instigating criminal prosecutions.
“But with that being said the ICO has said throughout the pandemic that it’s going to take a pragmatic approach to enforcement, recognising that the pandemic is such an unusual situation.”
‘No jab no job policy’
The debate on the so-called ‘no jab no job’ policy continues to divide people.
Employers are warned the main legal risk is the potential for discrimination complaints from job applicants who object to vaccination on grounds the law protects, such as their religion or philosophical belief, a pre-existing medical condition that amounts to a disability or pregnancy.
Mr McGregor said: “Importantly the protection against discrimination afforded by the UK Equality Act extends to jobseekers as well as existing members of staff.
“For an employer to mandate vaccination it would be necessary for them to demonstrate, through their health and safety risk assessments, that having a vaccine is necessary for the role being applied for and the most reasonably practicable way of reducing the risks associated with Covid-19 with the role compared to other alternatives.”
Vaccine status privacy
Another big question is whether people should be legally obliged to tell their employers about their vaccine status.
Mr McGregor said: “There may be circumstances where it is justified, it’s ultimately going to come down to this question of whether or not the data is truly necessary.
“What we would be recommending to employers if they are intending on making it mandatory for people to disclose whether or not they’ve been vaccinated, they should be carrying out what’s known as a data protection impact assessment.
“It is basically where you document the reasons why you think it’s necessary to be collecting information about somebody’s vaccine status.”
There could be some sectors where the question may need to be asked, particularly in energy.
Mr McGregor said: “The main reasons are going to be health and safety-related.
“For some in the energy industry, maybe they’ve got clients who want to know whether workers that are being provided to them are vaccinated or not.
“They might say they are not having people onto a worksite unless they’re vaccinated.
“In those situations, I think you’re going to have more compelling grounds to ask for and provide that information.
“But certainly, the advice from the ICO and the advice we’d be giving to employers is where they are asking staff for their vaccine data they should be carrying the data protection impact assessments and to properly weigh it up.”
There are two tiers of penalties, with a maximum of 20 million euros (about £14.7m) or 4% of global revenue.