Isle of Man: Employment Issues, Data Subject Rights and GDPR Enforcement in the Pandemic

April 13, 2020Alerts

The Isle of Man, which has implemented the EU's General Data Protection Regulation, has issued detailed guidance on data protection and the coronavirus pandemic.

Data Protection Law Still Applies

  • Data protection law does not stand in the way of the provision of healthcare and the management of public health issues.
  • For healthcare bodies, including public health, there are specific conditions in the data protection law that make such processing, which includes disclosures, lawful.
  • The processing of that personal data is still subject to appropriate safeguards, and must comply with the data protection principles, unless there is good reason not to. Accuracy of personal data, however, remains imperative.

Employers

  • Employers and other organizations have a general obligation to protect the health of their staff/volunteers etc. So, in some cases, it can be reasonable to ask staff if they have returned to the Island recently and are required to self-isolate, or whether they, or others close to them, have experienced coronavirus symptoms.
  • Employers do not necessarily need to know where they have been, or record what symptoms they have. In most cases a yes/no answer may be sufficient.
  • If employers ask for specific health information they must:
  1. Not ask staff for more health information than is necessary and proportional to the specific working circumstances.
  2. Make sure that the personal data they hold is accurate.
  3. Have appropriate measures in place to protect any health information collected from unauthorized access or loss, etc, whether this is held in paper format or electronically.
  4. Not keep that health information for any longer than is necessary.
  5. Explain to staff what health information is needed from them and why, and how long it will be kept.
  • If a member of staff, for example, becomes ill with coronavirus symptoms, an employer might need to tell their colleagues. However, that doesn’t mean that the employer needs to give out their name or post their name on a notice board.
  • If the Public Health Directorate seeks information from an employer about the health of staff in connection with the coronavirus outbreak, there is nothing in the data protection law that prevents or prohibits the employer from providing relevant, accurate, information to that body.

Data Subject Rights

  • The law applying to data subjects’ rights is unaffected by the coronavirus situation.
  • Controllers experiencing difficulty in complying with requests within the statutory time should communicate clearly with the individuals concerned about the handling of their request. For example, they may wish to explore the possibility of providing a staged response to a request.

Enforcement Allowance

  • While statutory obligations cannot be waived, the facts of each case, including evidence of specific extenuating circumstances, will be taken into account should a complaint about compliance with a request be made during the coronavirus situation.
  • The Commissioner is deeply conscious of the impact that the coronavirus is having on health bodies in particular and that the prioritization of patient care may mean the diversion of resources.
  • The Commissioner is also conscious that some businesses will be closed altogether for what may be a significant period.
  • The Commissioner will, as far as possible, take a proportionate and pragmatic regulatory approach.

Accountability

  • It is important that controllers play their part in being able to evidence to the commissioner, if necessary, the steps taken, the challenges they faced and any other extenuating circumstances in relation to compliance with their statutory obligations.
  • Maintaining suitable records of the actions that a controller has taken in complying with requests, is particularly important during this current public health situation where controllers may face difficulties with complying within the statutory time frame.

Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].