26/03/20

Data protection and IT: Think about employee privacy

Think about employee privacy, including the privacy of those who may be infected. It is important to note in particular the following:

You cannot impose systematic tests on your employees (save in specific situations that might be ordered by the government). It is better to politely ask an employee with a fever to contact the occupational physician. Better yet, ask employees to stay at home if they feel they may be developing symptoms (and support rather than stigmatize them, of course).

You cannot disclose the names of infected employees (even internally). The fact that someone is infected or not is personal data relating to health, which you are prohibited from disclosing except:

  • to the extent necessary to comply with employment and/or social security obligations, or
  • to the extent necessary to protect the "vital interests" of the employee or another natural person (e.g. to call emergency services if the employee is no longer physically able to do so). Note: it may be that this aspect will be given a broader interpretation as the situation evolves.

And no, don't inform the employee’s colleagues even if you have the employee’s consent. Given the hierarchical nature of the employer-employee relationship, the "free" nature of employee consent can be called into question.

The most recent guidance by relevant authorities is available online:

Prepare a communications strategy

If you do not yet have one for crisis situations. Should there be an infection or outbreak in your company, it is preferable to be in control of the message. This is relevant for COVID-19 as well as other situations (ransomware and other incidents).

Activate your business continuity plan.

Such a plan is a best practice and even compulsory in certain critical industries such as the financial sector. The plan describes what to do if the offices can no longer be used and ideally should indicate alternative premises

Homeworking does not equate loss of control 

As long as you set clear rules beforehand and abide by applicable laws. Time-tracking and IT monitoring tools are permitted under certain circumstances, and in most EU countries you first need to properly inform employees of the possibility of monitoring, sometimes even involving the works council in a consultation process. Make sure you do so before you roll out your monitoring system.

Remote working can endanger business information and personal data, depending on the tools chosen

Make sure you don't lose the protection working in the office provides, such as the confidentiality of business information and the protection of personal data relating to your employees. Check carefully the terms of any screen-sharing or videoconferencing tool you wish to use, as some allow the provider to reuse the shared content or to analyse conversations.

Revisit IT outsourcing arrangements

The last few weeks have shown that even when companies and organisations do not encounter problems themselves, their suppliers may, which could have an adverse effect on their business. Therefore, in the IT context, it is prudent to revisit outsourcing arrangements and verify the impact of potential delivery failures by external service providers.

dotted_texture