6 minute read 2 Sep 2021
Woman using smartphone at night

How COVID-19 continues to affect data privacy in employment

Authors
Meribeth Banaschik

Partner, Forensic & Integrity Services, EY GmbH Wirtschaftsprüfungsgesellschaft; EY Europe West Forensics Discovery & Digital Solutions Lead

Attorney and former litigator. Provides talent and experience in eDiscovery solutions, managed document review, data protection compliance, disputes and contract management.

Paula Hogéus

EY Global Labor and Employment Law Leader and Nordics Law Leader

Advisor to clients on a wide range of domestic and international employment law issues - workforce restructuring, strategic workforce planning, workforce risk management and HR transactions.

6 minute read 2 Sep 2021
Related topics Assurance Forensics

As the “workplaces of the future” debate continues, data privacy and employment matters should be top of mind for organizations.

In brief
  • It is vitally important for organizations to understand how to maintain high privacy and security standards for employees who work remotely.
  • Companies must determine how much information about an employee’s health status should be disclosed for public health purposes.
  • Businesses should assess how to manage increased furlough and redundancy in data subject access requests.

The data privacy and employment law landscapes continue to change and adapt to constant developments related to the COVID-19 pandemic. The discussion around the intricacies of remote working and government furlough schemes is ongoing. In many parts of the world, there is now additional focus on ways to return to the office, the role that vaccination programs play in this effort and the processing of employee personal data linked to COVID-19.

If remote working is here to stay, are organizations ready?

With remote working being a necessity in some areas for more than a year now and with it likely becoming a regular working pattern, the associated data privacy risks remain relevant. 

From an employment law perspective, whether the work is conducted at an office or employees’ homes, the employer is responsible for the employees’ working environment, including their health and safety. Employers need relevant policies and routines in place to confirm that work environment risks are assessed and followed up on a regular basis. Risk assessments of the work environment at an organizational level must also involve any appointed employee safety representatives.

This obligation may trigger an increased burden of responsibility on legal, compliance and HR departments. The 2021 Global EY Law Survey shows that law departments face rising volumes of work, with 75% of general counsel expecting workloads to outpace budgets over the next three years.

Discussions around a potential return to the office are underway in many organizations. The Global EY Return to Office Tracker navigates the existing legal framework for returning to the office, enforceability of employment contract obligations, and employee rights and obligations across jurisdictions.

COVID-19 and employee health data

Employers are faced with new challenges in collecting and processing employee personal data. HR personnel and health screening questionnaires have posed sensitive questions covering potential virus contraction, vaccination information and travel plans, while some employers consider using electronic vaccination passports to assess vaccination status.

According to Article 9 of the General Data Protection Regulation (GDPR), processing personal health data has a wide definition and is generally prohibited, but the article provides exceptions in relation to processing. While employee consent is required to collect and process sensitive personal data to the extent the data is essential to meet the purposes of the employment relationship, employers can lawfully request disclosure and processing of employees’ health data by virtue of the existing employment relationship, or for reasons of public interest.

Article 6 of the GDPR provides two additional lawful bases for processing health-related personal data: where it is necessary to comply with a legal obligation to which the controller is subject or to protect the vital interests of the data subject or another natural person. For instance, providing information about recent contraction or exposure to COVID-19 to an employer may assist in limiting further transmission of the disease.

In comparison, the California Consumer Privacy Act does not specifically list the lawful grounds on the basis of which organizations can process personal data, and it also notably limits the right of access for employees. While this was expected to change, the California Privacy Rights Act extended this exception to January 2023.

Can employers force vaccinations?

Under GDPR, employers can ask whether an employee has been vaccinated, but they cannot generally request that employees get vaccinated. However, special considerations may be needed depending on the type of work that will be carried out. In certain jurisdictions, there is no definitive right for employers to mandate a vaccine, but the law stipulates that they must consider several factors, including the industry or sector in which they operate and whether such a condition would be reasonable.

Several jurisdictions, for example, indicate that health care workers could reasonably expect to be obliged to obtain vaccinations. Only a few jurisdictions report that the employer may bear the burden of funding the vaccine directly; it is more likely that, according to government policy to promote mass vaccination, employers will be obliged to allow employees paid leave to attend public health centers to be vaccinated. The Global EY Return to Office Tracker navigates the existing legal framework in more than 60 jurisdictions.

Generally, employees cannot be dismissed on the basis that they refused to get vaccinated, but this could change if a statutory vaccination requirement is introduced.

Increased data subject access requests

Many are expecting a spike in data subject access request (DSAR) submissions due to the widespread use of furlough schemes and the mass redundancies that have been taking place due to the pandemic.

While there may be significant differences in approach across jurisdictions, the EY Labor and Employment Law Tracker provides a current snapshot of legal considerations with regard to employer rights and obligations, government furloughs, and incentive schemes as well as relevant topics of workforce transformation.

Technology plays a significant role in DSAR intake and identity verification, data redaction, data encryption for secure delivery and case management. Carefully selecting technology solutions for each part of the process will provide quick turnarounds to comply with regulatory deadlines, reduced cost and increased scalability.

While technology offers solutions to privacy topics including DSARs, respondents to the 2021 Global EY Law Survey ranked data privacy and cybersecurity risks as “8 out of 10” compared to the other risks facing the organization in the next 12 months. This indicates that many organizations are still facing issues finding the right strategy to deal with privacy compliance and risk management.

Transferring employee data post-Schrems II

If employee personal data needs to be transferred and processed across borders, additional considerations come into play. The recent Schrems II decision (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems1) by the European Court of Justice deemed the EU-US Privacy Shield to be an inadequate mechanism to enable data transfers to the US under EU law as it doesn’t provide an adequate level of protection.

This decision has impacted numerous businesses that conducted transatlantic trade solely on the basis of this adequacy decision and were instructed to immediately terminate processing personal data and institute another approved transfer mechanism, such as standard contractual clauses (SCCs). The decision also introduced the obligation for a case-by-case assessment of SCCs to confirm that adequate protection is provided. The Court specified that the protection assessment must consider both the SCCs agreed between the EU data exporter and the data importer established in a third country, and any access by the public authorities of that third country, as well as the relevant aspects of its legal system. Recently the European Commission released its final Implementing Decision on standard SCCs for the transfer of personal data from the EU to “third countries” such as the US, based on which the new SCCs will repeal and replace the existing SCCs.

Considering the amounts of employee personal data that are being transferred from the EU to the US, often by large multinationals headquartered in the US with workforces in the EU, the implications of the Schrems II decision on employers are significant. Organizations need to continue identifying any data transfers that in the past would rely on the Privacy Shield and put alternative measures in place. Similarly, the European Commission finally adopted two adequacy decisions under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), which allows personal data to flow freely from the EU and the European Economic Area (EEA) to the UK. This means that no additional measures (including SCCs) need to be taken by UK organizations to continue to receive personal data from the EU and the EEA.

What lies ahead

Adaptations to data privacy and employment law have been commonplace since the beginning of the COVID-19 pandemic. With a future involving an expected mix of remote and in-office work, the role vaccinations play in that and processing employee data related to COVID-19, employers and employees will continue to be faced with change.

  • Show article references#Hide article references

    1. Electronic Privacy Information Center website, https://epic.org/privacy/intl/dpc-v-facebook/ireland/#:~:text=In%20Data%20Protection%20Commissioner%20v,data%20protection%20and%20privacy%20rights, accessed 5 August 2021.

Summary

Throughout the pandemic, the one constant with data privacy and employment law has been adapting to ongoing developments. In many parts of the world, the focus is now on ways to return to the office, the role of vaccination programs and processing employee personal data related to COVID-19.

About this article

Authors
Meribeth Banaschik

Partner, Forensic & Integrity Services, EY GmbH Wirtschaftsprüfungsgesellschaft; EY Europe West Forensics Discovery & Digital Solutions Lead

Attorney and former litigator. Provides talent and experience in eDiscovery solutions, managed document review, data protection compliance, disputes and contract management.

Paula Hogéus

EY Global Labor and Employment Law Leader and Nordics Law Leader

Advisor to clients on a wide range of domestic and international employment law issues - workforce restructuring, strategic workforce planning, workforce risk management and HR transactions.

Related topics Assurance Forensics