Coronavirus and the GDPR

Back in 2018, the shakeup of the UK data protection regime brought in by the GDPR was seemingly all anyone in business was talking about. Now in 2021, it’s fair to say that the COVID-19 pandemic has replaced almost any other topic of conversation. However, the two topics are not entirely distinct, with the pandemic throwing up a number of challenging data protection considerations for employers, specifically in relation to the processing of health information relating to employees.

We have therefore decided to explore some of these issues in two separate blogs which analyse the two key situations which can result in employers needing to process their employees’ health information during the COVID-19 pandemic.

This blog covers scenarios where data processing is required in respect of employees who are absent from work due to coronavirus symptoms or because they are self-isolating in accordance with government guidance. Please look out for our other blog on Coronavirus and the GDPR, which covers data protection issues which arise when employers carry out workplace coronavirus testing and symptom monitoring programmes.

The processing of health information involves “special category data” under the GDPR, which means an employer must ensure that they have both a lawful condition for processing personal data and a “specific condition” for procession special category data, and this blog explores how an employer can demonstrate these required conditions.

Employee absences due to coronavirus and workplace outbreaks

If an employee is unwell due to coronavirus, the usual processing of health information will be required in order to record the absence and pay sick pay. However, additional processing may be required depending on the employee’s specific situation.

For example, an employee who receives a positive coronavirus test will be “encouraged” to alert the people that they have had close contact with in the 48 hours before the onset of symptoms. If this includes their work colleagues, the employee is also encouraged under the relevant government guidance to consider informing their employer so that their colleagues can be alerted.

If an employer is asked by an employee to alert their co-workers, ideally this should be done on an anonymous basis, although there will inevitably be situations where it will be easy to identify the employee who has tested positive.

Generally, however, it will be the responsibility of NHS Test and Trace rather than employers to alert close contacts of an individual who has tested positive for coronavirus, even if the close contacts are work colleagues. The exception to this is where there is more than one case of coronavirus associated with a particular workplace (i.e. where there is a “workplace outbreak”).

Where there is a workplace outbreak, the employer must contact its local PHE health protection team to report the suspected outbreak. If the local PHE health protection team declares an outbreak, the employer will be asked to record details of symptomatic staff and assist with identifying contacts.

The employer will be assisted with this by PHE, who will provide information about the outbreak management process and how to implement control measures, communicate with staff and reinforce prevention messages.

As for the lawful and specific conditions for processing health information and other personal data relating to employees in these circumstances, it is likely to be regarded as falling within the employer’s duties under health and safety legislation in which case the employer is likely to be able to rely on their need to “comply with a legal obligation” and “compliance with their obligations and rights under employment law” as lawful conditions.

Employees absent due to self-isolation

Throughout the pandemic, most employers are likely to have employees who are required to self-isolate, for example because they are a close contact of someone who has tested positive or they have travelled to England from abroad. An employee may also be self-isolating where they have symptoms of coronavirus, or have tested positive, but are nevertheless well enough to work from home (and it is possible for them to do so).

If an employee is self-isolating (for whatever reason) and cannot work from home, they will be eligible for SSP and the employer will need to process this in the usual way.

If it is necessary to process health information because an employee is self-isolating, the lawful and specific conditions for that processing may vary depending on the reason for self-isolation. For example:

  • if the employee is self-isolating because they have travelled to England from abroad, this is a legal requirement and arguably the conditions of “compliance with a legal obligation” and “compliance with obligations and rights under employment law” should apply;
  • if the employee is self-isolating because they have symptoms of coronavirus, have tested positive, or are a close contact of someone who has tested positive, these obligations are set out in non-statutory guidance only and so it is not clear that the conditions of “compliance with a legal obligation” or “compliance with obligations and rights under employment law” would apply. However, an employer might be able to assert that ensuring that employees self-isolate in these circumstances falls within the employer’s duty under health and safety legislation, and on this basis those conditions would arguably apply.
Employees unwilling or unable to return to work

Employees who are clinically vulnerable or clinically extremely vulnerable (or those who live with someone who is), as well as those who are otherwise anxious about contracting coronavirus may be unable and/or reluctant to return to work.

Dealing with these situations may require meetings and correspondence between the employee, their manager and HR. They may also involve requests for medical reports. Depending on the circumstances, employers processing health information for these purposes may wish to rely on the following:

  • as a lawful condition for processing: “compliance with a legal obligation” or “the employer’s legitimate business interests”, and
  • as a specific condition for processing: “compliance with obligations and rights under employment law or “establishment, exercise or defence of legal claims”.

If you have any concerns about your rights and obligations when it comes to processing employee health information during the pandemic, please get in touch with the MLP Law Employment team at or 0161 926 9969. Please also keep an eye out on our Twitter feed @HRHeroUK and for our other blog in this series.