Covid-19: Return to work – what to consider from a data privacy and employment law perspective

Following nearly three months of lockdown in the UK in order to combat the spread of Covid-19, non-essential retailers will be allowed to reopen on 15 June 2020. All retailers need to consider employment and data protection issues as part of their return to workplace (RTW) and store re-opening planning.

Businesses have a legal duty to protect the health and safety of their employees and customers. In the context of a potential return to work and the reopening of stores, this will generally mean, as a starting point, retailers complying with the ‘Working safely during coronavirus (COVID-19)’ guidance, and associated general Covid-19 guidance, published by the UK Government. The guidance sets out certain minimum expectations and best practice suggestions to reduce the risk of infection, and includes specific considerations for shops and offices. The UK data protection regulator, the Information Commissioner’s Office (ICO), has also published detailed guidance on what personal data can be collected on employees as part of RTW.

One of the key messages from the guidance is that all employers are expected to work with their employees to conduct a Covid-19 risk assessment. This should identify the specific Covid-19 risks relevant to a workplace, and the steps that can be taken to remove or alleviate these risks. 

Set out below are some key issues retailers should consider from a data privacy and employment law perspective as part of their upcoming re-opening of stores and a potential RTW.

  • What information can we collect from employees and customers? In relation to employees and customers, retailers should consider what personal data is needed in order to fulfil their legal obligations to protect employees and customers from risks to their health and safety with a re-opening. Importantly, collection of personal data should be proportionate and necessary to protect against the risk of Covid-19 within the workplace and within stores. Therefore, careful thought should be given as to what data should be collected, particularly on the health of employees and customers.
  • What information do we need to provide to employees and customers? Employee and customer related data privacy notices should be reviewed to check they are broad enough to collect the data required as part of the RTW planning. Importantly, employers should consult with employees or elected representatives when carrying out the required RTW risk assessment (e.g. seek their input on the risks identified and safety measures proposed). In relation to customers, the guidance states customers must be provided with clear information on the social distancing and hygiene measures to be deployed in store upon arrival (e.g. this could be in the form of signage and posters). 
  • Do we need Covid-19 policies? Many businesses are now developing policies to deal with Covid-19, recognising that the pandemic may have long lasting impacts on them; for example, developing specific policies to deal with infectious diseases, working from home and amending existing policies, such as disciplinary and grievance policies, to address Covid-19 issues. Some businesses are also thinking carefully about how they deal with data protection requirements and developing protocols to demonstrate how data protection principles are dealt with in RTW planning. For example, having determined what data will be collected on employees and customers as part of RTW planning, retailers should implement processes to ensure that the data is only kept as long as is necessary and in accordance with health and safety and regulatory requirements.
  • Is it appropriate to implement temperature screening for employees and/or customers? Temperature screening for employees and/or customers is not required under the guidance, so retailers should assess whether or not such screening is justified in the circumstances. Where temperature or other health information is recorded then it should be documented in the form of a data protection impact assessment. It should be noted that the ability to carry out temperature screening varies considerably across Europe, with some countries not permitting it or only when undertaken by a company doctor or medical professional.
  • What practical steps can we implement to ensure social distancing is maintained? The guidance suggests a number of measures to minimise contact in stores between customers and employees. These include: (i) defining the number of customers that can reasonably follow social distancing within the store or other sale spaces, as well as entry points, and limiting customer access or numbers accordingly; (ii) encouraging customers to use hand sanitiser or handwashing facilities as they enter the premises and to avoid handling products in the store; (iii) encouraging customers to shop alone where possible; and (iv) operating appropriate queue management or a one-way system through the store. It is important that these types of measures are reflected in the RTW risk assessment.
  • Should all in-store employees be provided with face coverings? The guidance recognises that, whilst there is some evidence that face-coverings may protect others if someone is infected with Covid-19 but has not developed symptoms, the benefit is small. The guidance recommends other measures to manage the risk of Covid-19 infection through social distancing, hygiene and fixed teams or partnering, which again should be reflected in the RTW risk assessment.
  • What should we do if an employee tests positive for Covid-19? If the employee is at home and tests positive, then in line with the guidance they should self-isolate. If the employee is at the workplace, then, according to the guidance, they should be sent home immediately without touching anything. If they are required to remain at the premises for a period before going home, the employee should be isolated to the extent possible, wash their hands regularly, and cough or sneeze into a tissue and put it in a bin, or if they do not have tissues, cough and sneeze into the crook of their elbow. Importantly, the ICO advises that the name of the employee who tested positive for Covid-19 should not be shared with the rest of the workforce, where possible. HR and senior members of staff should determine whether they are able to detect other employees who have been in contact with the employee in question and recommend they take protective measures in line with the RTW risk assessment.

If you are interested in exploring this topic further, you can contact William Long directly at Contact details for the other authors are:

Susan Fanning:

Francesca Blythe: