DECEMBER 2020
covid and the workplace – what can employers do to keep their workforce safe?
Earlier in this lockdown period, I advised one of my clients against the use of thermal cameras which would (not with great accuracy) take the temperature of customers to assess whether they might have coronavirus and therefore whether they should be admitted into the client’s premises.
I also advised another client about the use of fingerprint scanning in the workplace to restrict entry to unauthorised personnel.
I advised that without the (truly) free consent of those individuals, my clients wouldn’t be able to get passed Article 8 of the GDPR, namely the use of special category or biometric personal data. The sceptic within me would say that they agreed to follow my advice out of sheer boredom rather than actually understanding it.
But now that we have a COVID-19 vaccine, the lawyerazzi and commentators have begun the commentary on how an employer can legally insist on an employee taking the vaccine.
I have some news for them: they can’t. An employer cannot force an employee to take the vaccine.
An employer is required by virtue of the Health & Safety at Work Act 1974 to provide for a safe workplace for the employee. Nothing contentious there. But we do not yet know that the vaccine restricts transmission to other people. This will only become clearer once enough people in the community have had the virus and further research is done at that time. So we cannot yet say that by employees taking the vaccine that the workplace will be safe.
What if employers instructed employees to take the vaccine as a reasonable management instruction? This is where the GDPR comes in. There is no provision within the GDPR for management instructions – reasonable or otherwise – that would require an employee to share special category data (which includes health information) with an employer.
What are employers left with then? As with much of today’s employee relations, the only lawful and least risky option is to engage with your employees. Seek their input and freely given consent. Some people are (rightly or wrongly, only time will tell) genuinely worried about the efficacy, provenance, side-effects and long-term risks of such a hastily developed vaccine for a relatively new and unknown virus, and these are people who would happily take long-established vaccines for other diseases. Employers should respect that.
The vaccines are anyway not likely to be freely available to most of the working population (particularly those without underlying health conditions) for some months.
Coronavirus has thrown our modern world upside-down, and employers would be best advised to look to innovative and sympathetic ways of keeping their workforce protected.
June 2020
Dubai’s DIFC enters GDPR-like regulation territory
Last week, I posted an article on LinkedIn about the Dubai International Finance Centre, a jurisdiction within UAE law, bringing into force the DIFC Data Protection Law No. 5, with effect from 1 July 2020. It has a remarkable number of similarities to the GDPR.
In fact, it would be easier to talk about the differences:
Definition of personal data: the DIFC law includes communal origin, perhaps reflecting a population which is only 20% native.
Extra-territoriality: the DIFC law doesn’t cover the monitoring of UAE citizens in the same way that the GDPR extends to controllers and processors who track the behaviour of EU citizens, but that perhaps is the only difference between the two laws. Increasingly, all new data protection laws globally are mirroring the GDPR’s extra-territoriality feature.
Retention of personal data: the DIFC goes further than the GDPR in relation to the retention of personal data after the purpose has been met, or the controller no longer requires the data. The DIFC actually requires that the data is deleted (securely), not just put beyond use or anonymised.
Consent: here again the DIFC goes further than the GDPR: controllers must deploy technical and organisational measures to ensure that consent (which by the way is all the things that made the GDPR famous – specific, clear and plain language, etc.) remains valid throughout the processing of the data, and as soon as it appears that the data subject would not reasonably expect the processing, the controller must seek to re-affirm consent. In practice, this might be difficult to master, and what the controller thinks is reasonable may be far removed from the data subject’s position.
Accountability: New for the DIFC are the requirements of Records of Processing Activities (RoPAs), Data Processing Impact Assessments (DPIAs), and the requirement for a Data Protection Officer (DPO) in many cases. Unusually however, the DPO must ordinarily reside in the UAE.
Data Subject Rights (DSRs): Broadly similar to the GDPR, the new DIFC law includes new rights for data subjects. And although any mild inferiority in the sense that the DIFC allows controllers to charge data subjects for exercising some of their new DSRs, this is massively offset by the provision that prohibits discrimination against a data subject on the grounds of their exercising a DSR.
Breach notification: Like the GDPR, breaches must be notified to a supervisory authority, though there is no 72 hour time limit. Instead, breaches must be notified as soon as practicable.
Fines: maximum fines of US$100,000 are tame compared to the GDPR, though this is not “exhaustive” and can be updated from time-to-time. Further, there is provision for data subjects to make claims for compensation, though liability is split between controllers and processors, rather than the precautious provision in the GDPR which requires controllers to cover the liability towards the data subject in full and recover the relevant proportions from other controllers or processors at their leisure.
For more information, and for help with your privacy compliance, please contact us.
omnigov.co.uk 