Global Privacy Checklist for dealing with COVID-19: definitive guidance

Since our article on 16 March (Key tips to stay compliant), with many employees now working from home, we set out a data protection checklist for multinationals to consider for minimising risk during the lockdown period.

1. Data breaches when working from home

Have you reminded your employees about the need to maintain high data protection standards whilst working from home and the importance of reporting any data breaches immediately? You should review your usual escalation processes for data breaches and, if necessary, adapt these. If you don’t have a procedure for this adopt one as soon as possible.

As more employees are working from home, this is increasing the risk of data breaches. People will be working more informally or with different working patterns and they could easily become distracted by family members, the TV, or social media. This all could result in emails being sent in error or with the wrong attachments, or other people in the household or from open meetings seeing information inadvertently. There has also been a huge increase in cyberattacks from phishing emails to system takeovers.

2. New working environments

Review your security measures are still appropriate as a result of any changes in working environments and remind employees about confidentiality. New working environments and changes in use of technology could see videos capturing information unexpectedly, conversations being overheard, screens being looked at and virtual meetings hacked. This may mean personal or confidential information is inadvertently shared with people outside the business.

Employees need to be reminded to maintain confidentiality and to comply with security measures in their new working environment. Such measures could include encouraging employees to update passwords, reminding them to lock screens, consider the use of shredders, and take steps to lock hard copy documents away.

3. Use of personal devices

Flexibility on the use of personal devices needs extra thought. What security is needed? It has been proposed that employees are asked to turn off Alexa (or similar devices) whilst discussing confidential or business sensitive matters, due to the purported ability of the technology to record without you knowing it at all times.

4. Sickness reporting

There are no legal reporting requirements for employers about COVID-19 virus cases, but there may be a balancing act between providing information in the public interests and protecting individual’s rights by not collecting or providing more information than is necessary. Ensure processes for reporting are managed officially and confidentially by HR. Policies should be updated to cover self-isolation, quarantine or lockdown measures.

5. Medical checks, testing and tracking

Organisations need to exercise care when collecting, using and disseminating COVID-19 related information across the business. A combination of information that an employer releases and information obtained by other means could mean individuals are identified as having coronavirus or other sensitive information, such as their underlying health conditions.

The data protection authorities across Europe have expressed different views about collecting and processing COVID-19 related information. The French and Danish authorities have stressed that only limited data collection and processing is possible.

The Dutch watchdog warned that "as an employer you almost never have the right to register the medical data of your employees yourself." The French authority has said employers cannot require employees to do daily body temperature checks, while the Irish authority has said businesses should prove “strong justification…based on necessity and proportionality and on an assessment of risk” if they send employees questionnaires about their health or personal travel.

In Luxembourg, the authority has warned employers not to require employees give them a daily update of their body temperatures or they fill out medical sheets or questionnaires. We are tracking the regulators’ position globally on this (and other issues).

Tracking across the globe has resulted in significant discrimination, and employers should be very wary of using work equipment such as phones to do so without a legal obligation (see employee monitoring below).

In relation to temperature checks, there has been some debate as to whether such checks are effective and therefore may not be able to be relied upon to assess whether someone has the virus. If you are undertaking checks, or testing if it becomes available, you also need to consider the duty of care you will have to the employee undertaking the checks or tests, and what protective measures and/or training is required.

6. Employee monitoring

Monitoring your employees whilst they are working from home needs to be considered carefully. Home IP addresses will be considered as personal data and therefore it is difficult to monitor employees on an anonymised basis. You should undertake a data protection impact assessment (DPIA) to help you identify any data protection risks from monitoring employees from home.

There are now numerous instances of governments around the world turning to technology to track people to help prevent the spread of the virus. But there are also concerns that privacy standards would need to be loosened to protect against serious threats to public health.


Tracking across the globe has resulted in significant discrimination, and employers should be very wary of using work equipment such as phones to do so without a legal obligation


This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.



Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.