Data Protection and Privacy: How a Company Should Handle its Employees’ Personal Data during COVID-19 Outbreak

Many organizations in Indonesia are quickly initiating a number of initiatives  to anticipate and minimize the growth of COVID-19 outbreak as well as to ensure the health and safety of their employees. The most obvious one is work-from-home policy. The COVID-19 outbreak is putting remote work at a totally unprecedented scale.

However, remote work may not always be possible for all employees. Some organizations have rotation policy, which requires employees to take shift in between working-from-home and working-from-office. Employees in certain type of business or industries, such as hospitality businesses, bank front-liners or health care professionals that must be physically present to work. For employees that have to attend office, organizations normally have a new health assessment policy such as collecting employees’ body temperature for those who have to work on-premise as well as requiring employees to alert organization on any occurrence of the symptoms, disclosing travel records and employee’s close contact.

Unquestionably, the above measures will involve data handling activities, which most likely will also include employee’s personal data. Handling employees’ data diligently are essential for the organizations to demonstrate their commitment to comply with the prevailing regulations. In light of that, below are several notes that an organization should consider in handling their employees’ data during the COVID-19 outbreak pursuant to Indonesia’s personal data protection regime.

  • Which data constitute Personal Data?

Personal Data, in essence, is any data relating to an identified or identifiable natural person – directly or indirectly.

The scope of Personal Data includes the employees’ basic identity, such as name, gender, address, etc. This is also likely to include not-so-obvious data which may allow a person to be indirectly identified. Common examples of such data, in this case, are – including but not limited to, (i) location information, such as travel records, transportation means, live-location data; (ii) health-related data, including body’s temperature, symptomatic occurrence information; to even (iii) information about the employee’s close contacts, for instance, whether one has been in contact with infected or People under Supervision.

  • How should an organization collect the employees’ Personal Data?

First and foremost, do it with the appropriate lawful ground – considering the following:

  • An organization who intends to rely on consent may consider that one of the elements of lawful consent is “freely given”. Oftentimes, consent is considered to not be given freely in an employment relationship due to the power imbalance between the 2-sides.
  • Legitimate interest to ensure safety and health of the organization may likely be more appropriate provided that the processing is carried out proportionally and under a strict necessity basis.
  • Performance of an employment contract may be relevant under the conditions that ensuring the safety and health of the organization is stipulated in the employment contract or company regulation.
  • In an emergency, the protection of the employee’s vital interest may be the relevant ground in processing employee’s Personal Data – for instance, sharing with health professionals.

Furthermore, the organization ought to limit the collection to only Personal Data that are relevant and necessary to the purposes of the processing. If the purpose is to manage the risk and ensuring the safety and health of everyone on-premise, the organization – for instance – may go as far as collecting information about the employees’ close contacts in the last 14 (fourteen) days. However, if the purpose is to only ensure employees are complying with self-isolation policy, employer may only need to focus on collecting live-location data regularly.

Similarly, organizations shall also limit and inform the scope of the processing, i.e., analyzing, sharing, and/or disclosing, to what is proportionate with the relevant purposes.

  • What Can an Organization Do With the Collected Personal Data?

After Personal Data is collected, an organization need to further consider how to handle or process those data. For such purpose, it is important to understand the concept of  being proportionate. When the purpose of processing is to ensure the safety and health of everyone on-premise, recent travel records may be of relevancy to be collected and analyzed to determine an appropriate course of action. However, it should be noted that any different treatment to the employees shall not be discriminatory.

It is also reasonable to inform identified cases within the organization. However, as the purpose is only to keep everybody informed and aware, anything beyond anonymous information (for example, naming or identifying one individual) may likely be viewed as disproportionate and excessive – unless there is a justifying reason for such decision.

An organization may also store Personal Data for a certain period for a purpose. For example, when an organization identifies that it is necessary to store collected Personal Data for a follow-up action (e.g., to test a suspected employee after a self-isolation period).

  • To Whom and When an Organization is Allowed to Share the Collected Personal Data?

At times, Personal Data sharing may be necessary to ensure the safety and health of, not just everyone within the organization, but also for the good of the public. Information relating to identified cases within the organization might be relevant and/or required to be shared to third parties.

Indonesia has several laws and regulations relating to the prevention of infectious disease and epidemic. Such regulation may be relevant in this case as COVID-19 can be categorized as infectious disease and it has also been declared as an epidemic by World Health Organization. This regulation can serve as a legal basis for the sharing of data/information relating to any identified or suspected case of COVID-19 within the organization (which also includes the employees’ Personal Data) to the Health Authority.

Such applicable laws and regulations include the following procedures:

  • Health Authority is entitled to collect, gather, and process health data/information in order to stop the outbreak of an infectious disease.
  • An organization is obliged to report the occurrence of infectious disease within its organization to regional Health Authority.
  • The applicable regulatory framework only stipulates the timeline for an organization to report to the Health Authority, i.e., promptly within 24 (twenty four) hours upon obtaining the knowledge of any identified or suspected case of the infectious disease.

Furthermore, although the applicable regulatory framework only stipulate data sharing to health authority, it is also relevant to share such information to other third parties, such as clients/vendors or building management. This sharing activities might be necessary so that such third parties can manage risk and take necessary action to ensure its safety promptly.

As with the content, there is no provision which explicitly list down the required information to be shared. In this regard, it is important to remember to keep it under a strict necessity and proportionality basis. For instance, it might be relevant to inform clients/vendors with the name of the suspected employee(s) which recently interacted with them, so they can manage and take measurements within their organization. However, it might be excessive to provide details of the employee to building management when the purpose is only to inform identified cases. Besides, the organization shall also ensure that the receiving party will provide adequate protection towards the data.

  • Good Governance of Personal Data During the Covid-19 Outbreak

Ensure the Personal Data collected from the employees are accurate

The accuracy of data is paramount in any type of processing.  With COVID-19 outbreak, it is even more crucial to process accurate data to ensure the safety and health of everyone, in or outside of the organization.

When collecting employees’ Personal Data, an organization must ask the employees to provide accurate and valid data and information about themselves, e.g., recent travel records, honest information on close contact with an infected person. Accordingly, an organization may impose disciplinary actions if the employees refuse or provide untrue information, as appropriate in accordance with laws and regulations and company regulation.

Update the organization’s records of Personal Data processing

The organization must keep track of its Personal Data processing activities at all times, including those related to measures taken to prevent the spread of COVID-19. An international best practice is to record the types of collected Personal Data, every relevant purpose of processing, the scope of intended-activities, recipient (if relevant), list of processors (if relevant), retention schedule, and general description of security measures implemented.

Ensure the security, integrity, and confidentiality of the data

Personal Data should always be processed and maintained with proper technical and organizational measures to prevent any data breach, theft, and/or leakage. Implementing a proper technical measure is to keep the data in a secure electronic environment, in accordance with applicable regulations. Further, a standard practice of good organizational measure is to have an internal policy/guideline which governs how Personal Data is handled. Since we are dealing with sensitive information during this outbreak, it is always better to limit the person with the knowledge to the data as necessary as possible, on a need-to-know basis.

Responding to the employees’ request with regard to their Personal Data rights

As a data subject, each employee has Personal Data rights. At times like this, an organization should thrive to grant employee’s Personal Data rights as much and as appropriate as it can. Indonesia, in this regard, provides data subject with right to confidentiality of the data, to file a complaint, to obtain access to rectify, to obtain access to historical records of the data, and to request the erasure of data under certain conditions.

  • What to do with the Collected Personal Data After You are Done?

The collected Personal Data ought to only be used for informed purposes and kept for the necessary period to achieve such particular purposes. Indonesian applicable regulation provides a minimum retention period of 5 (five) years after the purposes have been achieved. Notwithstanding, to prevent any unwanted data leakage or misuse, it is always better to store it in a format which does not allow any direct identification during such retention period, e.g., through pseudonymization. Once such period elapses, delete it.

 ***

During this trying time, the safety of the people should be the most important concern for each organization – and that includes, not just health, but also the safety of the privacy, private life, and Personal Data of the employees.

 

April 6, 2020

Copyright © 2020 AKSET. All rights reserved.