knowledge 12 June 2020 |

COVID-19: Vulnerable Workers and the Return to Work Protocol: A Data Protection Minefield?

As Ireland enters the second phase of lockdown easing, employers across the country are moving closer to bringing workers back to the workplace.  Employers will be looking closely at the Government’s Return to Work Safely Protocol (the “Protocol”) to design appropriate systems and procedures that will facilitate safety in the workplace.  The Protocol acknowledges that employees face differing levels of risk and asks employers to consider vulnerable workers in a number of different contexts.  This note considers the category of vulnerable workers, the areas in which employers must consider their needs, and the data protection implications that may arise from these responsibilities. 

1. Who is a Vulnerable Worker?

While the concept of vulnerable worker is used within the Protocol, the term is not defined.  At present, responsibility for setting the parameters of this category will rest with employers themselves.  At a minimum, however, a “vulnerable worker” could be understood to include the categories of very high risk individuals identified by the HSE (who were advised to cocoon) and categories of high risk individuals identified by the HSE.  The full list of these categories of individuals is available on the HSE website, however, at a high level, these categories are based on age, disability and medical conditions.

2. When Should Employers Consider Vulnerable Workers?

The Protocol specifically refers to two types of protections employers should consider for vulnerable workers.  First, employers should enable vulnerable workers to work from home where possible.  Second, if a vulnerable worker cannot work from home and must be in the workplace, employers should ensure the vulnerable workers are preferentially supported to maintain a physical distance of two metres. 

Implementing these protections mean an employer will be required to consider the needs of vulnerable workers in both the design of any plan for a return to a workplace and on an ongoing basis in the implementation of that plan.  Both of these elements will require employers to identify the population of vulnerable workers within their workforce and to maintain an ongoing dialogue with that population in terms of supports.  In order to satisfy these responsibilities, employers will need to process an increased amount of employee health data. 

3. What Are The Data Protection Implications?    

Employers increasing the amount of health data that they process has implications from a data protection perspective.  While the scope of the category of vulnerable workers appears to be the responsibility of the employer to determine, based on available guidance it would appear that any definition of this category will involve the collection of health data related to employees. 

For the purposes of GDPR compliance, employers should be aware that Article 9(1) contains a general prohibition on processing data concerning health unless the processing by the employer falls within one of the exceptions contained in Article 9(2). The Data Protection Commission issued guidance in March 2020, which indicated the Article 9(2) exceptions likely to apply to processing of health data in the context of the COVID-19 pandemic. 

From a compliance perspective, it is important to note that prior to the COVID-19 pandemic, employers typically collected small amounts of health data, which usually related to the administration of a sick leave scheme.  Generally, an employer’s internal documentation, e.g. data protection policy, employee privacy notice, and record retention policy, will have been drafted on this basis.  In order to satisfy the responsibilities towards vulnerable workers under the Protocol, however, employers will be processing an increased amount of employee health data.  Employers should review internal documentation, with a view to ensuring any increased processing of health data is captured by its policies.  Given the sensitive nature of this category of personal data (and the general prohibition on its processing contained in Article 9(1) of the GDPR), a failure to do is likely to be regarded as a serious breach of data protection principles.