Test, track and trace
The Coronavirus health and safety, human rights and data protection conundrum for employers
22 June 2020
As the world confronts the Coronavirus crisis, many employers in the UK and globally are keen to embrace new technology as part of their response to the pandemic. There are a variety of techbased tools that may be developed or adapted with the aim of ensuring a safe workplace for employees amid the new challenges posed by the spread of Coronavirus. To the extent that these may impinge on the privacy or other rights of workers, their adoption and implementation requires particular thought and care. In this briefing (and the Appendix) we set out some of the considerations and practical steps for employers.
Is it the right solution for your organisation?
Before rolling out new technologies to manage Coronavirus, employers should ensure they have assessed whether and how new technology can fit into their business practically, legally and ethically. If potentially intrusive technologies are to feature in the “new normal”, businesses need to give early and proactive attention not only to the expected benefits, but also the risks. Adopting a systematic approach to risk assessment should mitigate potential legal and reputational exposure, business interruption and dissonance with the organisation’s culture and values.
Considerations of employment and data protection laws are critical. Ensuring due respect for the rights of individuals that will or may be affected by the new measures is expected of all businesses, and for many organisations is part of their publicly stated commitments.
Businesses would be well-advised to ensure that their compliance and risk management frameworks are robust and adaptable to respond to the quickly developing demands involved in providing a safe work environment while Coronavirus persists. Existing safeguards and protocols are likely to require adaptation to accommodate the introduction of technologies aimed at facilitating a return to work while keeping workers safe. New challenges require innovation and organisations want to be nimble: but speed of response should not be at the expense of careful assessment of impacts and risks, and of robust strategies to address them. Collaboration across business functions will also help ensure a coherent organisational response to the significant challenges ahead.
Taking a lead from government
Various governments around the world have resorted to new technology in attempts to address the Coronavirus pandemic. Spurred on by this, employers in the UK and globally may be keen to have ‘best in class’ tech to support their businesses and keep employees safe. Issues arise around the use of these technologies, including concerns around who may collect, process, access and use data (including employers and governments). Regulatory frameworks, government policy, protections and respect for individual rights will vary from country to country. Due to the highly sensitive nature of the data involved, the stakes are high: strict rules will generally be in play – but often differ from country to country.
Some employers (e.g. in the retail sector) have already been invited by authorities to collaborate in testing tech solutions with employees. In many jurisdictions, governments and regulators have produced guidance on how to approach such new tech (for example, in relation to contact tracing). It is important not to assume that government guidance will provide all the answers or a fully protective cloak for corporate activity and decision-making. For example, although government’s endorsement of particular approaches may provide comfort that it is within regulatory tolerance, the potential intrusiveness of these technologies and other concerns that have been expressed by civil society suggest they are not free from potential legal challenge, including by way of judicial review of government decision-making. Furthermore, guidance generally incorporates a wide berth of discretion, and employers will have to be comfortable in the context of their sector and business that the judgements they make do not expose them to challenge and risk.
Experience at the level of government has shown that the manner in which technology is deployed is critical, with carefully drawn parameters around the use to which gathered data may be put. Recent case law in the public sector is instructive in its consideration of the balancing of intrusions into privacy with the pursuit of legitimate interests. For example, in the UK, a challenge to the use of automated facial recognition was defeated based on the mitigants the organisation had put in place (e.g. discarding the biometric information of those who did not meet the relevant profile). More recently, the French data protection authority (the CNIL) insisted that the French Government’s contract tracing application could only be launched if its usefulness for crisis management was sufficiently proven and if certain guarantees were provided (for example, it must be temporary, and the data must be kept for a limited period of time). The UK Information Commissioner has also underlined how “it is so important that the Government are transparent about what data is being used, how it is used and why it is used. They have to make sure that the app is truly voluntary, and they must stick to the disclosed uses of it”.
Regulators globally have already opined on how private employers must approach the use of tech in confronting the challenges of Coronavirus including how voluntariness and consent may enter the equation. Given the unbalanced nature of the employer-employee relationship, some data protection authorities have expressed scepticism that employee consent can be used as a valid legal basis to justify the processing of their personal data. Indeed, the Dutch data protection authority has gone so far as to warn organisations in the Netherlands that consent to fingerprint testing and temperature surveillance (both generally and in the context of Coronavirus measures) in an unequal relationship is invalid and liable to fines.
Clearly, any strategies that an employer adopts to using tech in this space needs to be legally compliant, but it must also be right for the business and take appropriate account of the legitimate interests and concerns of employees: supporting legal, practical and respectful outcomes. Short-term expedience can create unhappy precedent for the future, leading to workplace unrest, potential legal challenges, adverse publicity and reputational damage, as well as a shift in the dynamic of the employer-employee relationship.
This is not ‘one-size-fits-all’
The challenges will be particularly complex for transnational businesses operating in multiple jurisdictions. Governments may take radically different stances on the permissibility and application of Coronavirus-related tech. The onus to assess what is lawful, reasonableproportionate, and respects the rights of affected parties, will fall on the employer. The ‘right’ answer may vary from business to business, or even within an organisation: relevant considerations include sector, location, operational layouts, size, numbers of employees, work environment and culture. The diversity of needs, interests and concerns across the workforce will require appropriate consideration, including by reference to vulnerable categories of persons.
Tech is unlikely to be the complete solution, but rather part of a hybrid, a tool amongst other steps to keep employees safe in the workplace. What is needed and appropriate may also shift over time. For example, the UK Government’s guidance currently does not anticipate antigen testing for office-based employees unless they are deemed ‘essential or key workers’. If they do have to be in the office, then other measures, such as social distancing and enhanced cleaning, are suggested. For employers who perceive benefits in proactively tracking emerging health risks, contact tracing apps can be combined with personnel-based contact tracing such as talking to symptomatic employees about their movements, as well as good workplace health and safety practice. While it may seem smart to have wearable tech wristbands that beep if employees are too close to each other, simple signs and floor distance markings will also be part of the armoury.
The approach to tech may not simply be about harnessing new solutions for employee protection. In some cases, there may need to be a regression from existing tech: touch screen technologies that may have seemed modern and inviting (for example, in lift lobbies) may now alienate staff. For some employers, tech solutions will include mitigating against the malicious use of data; at a time when employees are increasingly working from home with less supervision, wrongdoers may consider it easier to abuse data collected by the organisation. If there is more personal data in circulation due to Coronavirus, the risks involved increase.
As employers create frameworks to facilitate the return to work that is right for their organisation, the possible uses of tech will almost inevitably come into the equation. It will be important for employers to be able to justify the use of technologies while demonstrating that adequate mitigants have been put in place to minimise risks to those impacted. It may not be straightforward to navigate the sensitive balance between employer’s business interests, the health and safety of the workforce as a whole, and the individual interests and concerns of employees. Consultation, open communication and adequate tracking of the effectiveness of safeguards should support the instilling of trust and meeting stakeholder expectations. Employers would be well-advised to establish and assess indicators of use and effectiveness over time, and to feed learnings from these into periodically refreshed strategies. Ensuring that employees are able to communicate concerns and that grievances are addressed in an open and transparent way should also help minimise frictions and ensure legitimate concerns are addressed.
Employees are increasingly aware of these issues, and so treading the right side of the line on privacy incursion, communicating a legally compliant approach, and strong employee engagement will be critical for successful implementation. In contrast, a failure to adequately address such issues risks disruption to the return to work and reputational damage – and potentially lifethreatening impacts for employees.
Risk-based rightsrespecting management
The pandemic will require adaptions and restrictions within society until a vaccination or effective treatment is found and effectively rolled out. When that will happen is unclear. This uncertainty is exacerbated by the speed at which the political and scientific response is moving.
First and foremost, businesses should stay abreast of the evolving government guidance in the jurisdictions in which they operate and interpret such guidance in the context of their operations.
As businesses shift from their immediate crisis response to resilience, resuming some normality in day-to-day business operations will need to be supported by practical risk management road maps to ensure a resilient and adaptive response in these uncertain times.
The consequences of an inadequate risk management approach should not be underestimated:
- Businesses may face claims from employees. For example, a whistleblowing claim in respect of failings could not only see an employer pay out costly damages and face regulatory involvement but could have a strong reputational impact given the high-profile nature of the issues.
- Data regulators have the power to levy stringent fines (e.g. 4% of global turnover under GDPR), and health and safety regulators (such as the HSE) also have significant enforcement powers.
- In many jurisdictions, data claims (whether under data legislation, human rights-focused challenges or common law claims such as misuse of private information) are a growing trend, with claimants utilising classstyle actions for data misuse. Crucially, civil claim damages can far outstrip the regulatory fines.
- Civil society organisations, works councils and unions may also seek to challenge measures taken by companies to address the risks posed by Coronavirus. In an era where companies are expected to respect human rights even in the absence of specific legal duties, companies are under increased scrutiny (from investors to consumers) to demonstrate that they are able to know and show the steps that they are taking to prevent and mitigate the harm that taking steps to protect health and employee also has on human rights.
- If employees reject the tech approach adopted, then, crucially, attempts to keep the workforce safe could be undermined.
The Appendix (available for download from the left hand side) to this briefing sets out practical steps employers can take to address key issues in this regard. Having employees’ rights as well as their welfare at the forefront of ongoing due diligence of the impacts of tech-related solutions will be the best way to safeguard against long-term harms being caused as an unintended consequence to the protection of employees’ health, and will support the long-term resilience and sustainability of the business.