Back at Work: Covid-19 and the GDPR

The Government’s recently-issued ‘Return to Work’ protocol marks the beginning of a new phase of dealing with the Covid-19 crisis, as we attempt to return to some form of ‘normality’ while acknowledging that the danger has not gone away and that new procedures are needed to keep our colleagues, our clients and ourselves safe.

In addition to the understandable desire to provide a safe working environment for all those returning to the office or workplace, we must also ensure that the measures we put in place (technical, organisational or procedural) are appropriate, proportional and compliant.

The Return to Work (RTW) guidance is effectively divided into three phases or areas of focus:

• Preparation for the return of staff and customers
• Management of day-to-day activity within the shop, office or premises
• Appropriate responses to Covid-19 related incidents or illness at work

All three phases have GDPR implications and we will outline them in a series of three blog posts as part of our Returning to Work (RTW) and GDPR Considerations eBook for consideration.

In this, the second of three blog posts we will look at back at work and management of day-to-day activity within the shop, office or premises.

Once back on the premises, staff should be reminded regularly about the appropriate measures in place to protect their safety and to prevent the spread of the virus. This may involve awareness-raising, refresher training at appropriate frequency, and monitoring to ensure that these measures are understood, adopted and complied with. This should be done in a sensitive manner, since it is reasonable to expect that everyone will be nervous in the initial weeks of being back on-site. Any monitoring should be proportional (Pr. 3) and clearly communicated, so that staff do not feel that their privacy or personal space is threatened.

Equally, however, employers should control the activities of customers and visitors to the site, providing clear notifications and posters advising about the measures in place, the Covid-19 symptoms and the appropriate actions to take. This might include the introduction of new measures, such as asking visitors to sign in or asking them to maintain distance from staff while on the premises. Here again, CCTV, physical security (screens or floor markings) and other measures may be used for this purpose, as long as such measures are appropriate, fair and proportional.

It would also be considered appropriate to maintain a log of staff and visitors coming and going from the premises, particularly those who spend substantial time on-site. The purpose of the logging is to be able to conduct contact tracing in the future, in the event that a staff member or contractor is diagnosed with the virus. Consequently, the necessary contact details should be sought from site visitors in order to enable future follow-up with them. In parallel, however, we recommend that such logs are only valid for the incubation period of the virus and should be deleted after 14 days (in compliance with Principle 5) unless any adverse diagnosis is reported in the interim.

We have included a suggested template for a Personal Contact Log in Appendix II of our Returning to Work (RTW) and GDPR Considerations eBook.

If you would like to learn more about GDPR principles which apply to Back at Work and guidance for employers on key questions being raised, you can download a free copy of our Returning to Work (RTW) and GDPR Considerations eBook by clicking on the link below or you can call us on +353 (0) 1 513 6301 to find out how we can support you and your organisation as you run through the specific challenges of your site or circumstances.