Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Employers could be breaking GDPR law by telling colleagues you’ve tested positive for Covid

employment law solicitor Grant McGregor who warns about the importance of covid GDPR law
Burness Paull employment law solicitor Grant McGregor

Employers need to tread carefully when it comes to just how much information they disclose to staff about Covid-19 in the workplace or risk breaking GDPR law.

Likewise, bosses who are demanding their employees disclose their vaccination status or implement “no jab, no job” policies must also tread carefully.

That’s the warning from Aberdeen employment law specialist Grant McGregor, based at Burness Paull.

Employers could face prosecution for breaking GDPR law on Covid

It’s a topic that can spark debate. If someone in the workplace tests positive for Covid,  should staff be told their name?

But disclosing the person’s name – without fulfilling a specific set of reasons – is breaking the General Data Protection Regulation (GDPR) law and employers could find themselves facing a criminal prosecution.

Mr McGregor said: “When you’re speaking about somebody’s health data, whether or not they’ve contracted Covid, it’s defined under the law as special category data.

“The law is a lot more prescriptive about when you can collect that sort of data and what you can do with it.”

He said employers may have reason to need to know staff members’ vaccination status, or, if they have contracted the disease, how to manage time working from home or statutory sick pay.

“That’s the key thing when you’re thinking about the disclosure of people’s personal data, particularly sensitive personal data – is it really necessary for us to disclose it?,” he said.

“There can be situations where you need to provide adequate information to protect their health and safety.”

Warning not to ‘name names’

Mr McGregor believes the best move for employers would be to not disclose any names and instead just warn fellow employees so they can take the necessary precautions.

He said: “You might have details of who exactly has contracted Covid but you don’t need to go further and share that data more widely than you absolutely need to.

“More often than not, it’s going to do the job to protect yourself to say someone has contracted it without going on to name names.”

Data protection must be followed

Disclosing the name of someone without meeting specific guidelines would lead to a breach of GDPR.

GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU) and aims to protect from privacy and data breaches.

Compliance with UK data protection rules is overseen by the Information Commissioner’s Office (ICO).

Mr McGregor said: “You would be looking at the provisions of the GDPR and also the Data Protection Act 2018. Those are the key pieces of legislation.

“It says you should only be disclosing this data where it’s absolutely necessary.

“There’s a specific set of reasons where you can disclose this kind of data, one of which is where it’s to discharge obligations you’ve got to other employees such as protecting their health and safety.”

What penalties can employers face if they breach GDPR law on Covid?

However, if an employee feels there’s been a breach of their data protection they have a right to make a complaint to the IPO. And while the information watchdog has so far taken a “pragmatic” approach to breaches or complaints during the pandemic, the risk still exists.

Mr McGregor said: “They can say they think there’s been an infringement of their data protection rights because their employer has shared more information than they ought to have and ask for it to be looked into.

“The ICO has a wide range of powers available to it, up to and including instigating criminal prosecutions.

“But with that being said the ICO has said throughout the pandemic that it’s going to take a pragmatic approach to enforcement, recognising that the pandemic is such an unusual situation.”

‘No jab no job policy’

The debate on the so-called ‘no jab no job’ policy continues to divide people.

Employers are warned the main legal risk is the potential for discrimination complaints from job applicants who object to vaccination on grounds the law protects, such as their religion or philosophical belief, a pre-existing medical condition that amounts to a disability or pregnancy.

Mr McGregor said: “Importantly the protection against discrimination afforded by the UK Equality Act extends to jobseekers as well as existing members of staff.

“For an employer to mandate vaccination it would be necessary for them to demonstrate, through their health and safety risk assessments, that having a vaccine is necessary for the role being applied for and the most reasonably practicable way of reducing the risks associated with Covid-19 with the role compared to other alternatives.”

Vaccine status privacy

Another big question is whether people should be legally obliged to tell their employers about their vaccine status.

Mr McGregor said: “There may be circumstances where it is justified, it’s ultimately going to come down to this question of whether or not the data is truly necessary.

“What we would be recommending to employers if they are intending on making it mandatory for people to disclose whether or not they’ve been vaccinated, they should be carrying out what’s known as a data protection impact assessment.

“It is basically where you document the reasons why you think it’s necessary to be collecting information about somebody’s vaccine status.”

a covid vaccination

There could be some sectors where the question may need to be asked, particularly in energy.

Mr McGregor said: “The main reasons are going to be health and safety-related.

“For some in the energy industry, maybe they’ve got clients who want to know whether workers that are being provided to them are vaccinated or not.

“They might say they are not having people onto a worksite unless they’re vaccinated.

“In those situations, I think you’re going to have more compelling grounds to ask for and provide that information.

“But certainly, the advice from the ICO and the advice we’d be giving to employers is where they are asking staff for their vaccine data they should be carrying the data protection impact assessments and to properly weigh it up.”

Fines worth hundreds of millions of euros have been handed out by information commissioners around Europe since the GDPR was introduced in May 2018.

There are two tiers of penalties, with a maximum of 20 million euros (about £14.7m) or 4% of global revenue.