Think about employee privacy, including the privacy of those who may be infected. It is important to note in particular the following:
You cannot impose systematic tests on your employees (save in specific situations that might be ordered by the government). It is better to politely ask an employee with a fever to contact the occupational physician. Better yet, ask employees to stay at home if they feel they may be developing symptoms (and support rather than stigmatize them, of course).
You cannot disclose the names of infected employees (even internally). The fact that someone is infected or not is personal data relating to health, which you are prohibited from disclosing except:
- to the extent necessary to comply with employment and/or social security obligations, or
- to the extent necessary to protect the "vital interests" of the employee or another natural person (e.g. to call emergency services if the employee is no longer physically able to do so). Note: it may be that this aspect will be given a broader interpretation as the situation evolves.
And no, don't inform the employee’s colleagues even if you have the employee’s consent. Given the hierarchical nature of the employer-employee relationship, the "free" nature of employee consent can be called into question.
The most recent guidance by relevant authorities is available online:
- European Data Protection Board: statement on the processing of personal data in the context of the COVID-19 outbreak (16 March 2020)
- Luxembourg National Commission for Data Protection: recommendations on the processing of personal data in the context of a health crisis (10 March 2020)
Prepare a communications strategy, if you do not yet have one, for crisis situations. Should there be an infection or outbreak in your company, it is preferable to be in control of the message. This is relevant for COVID-19 as well as other situations (ransomware and other incidents).
Activate your business continuity plan
Such a plan is a best practice and even compulsory in certain critical industries such as the financial sector. The plan describes what to do if the offices can no longer be used and ideally should indicate alternative premises.
Homeworking does not equate loss of control
As long as you set clear rules beforehand and abide by applicable laws. Time-tracking and IT monitoring tools are permitted under certain circumstances, and in most EU countries you first need to properly inform employees of the possibility of monitoring, sometimes even involving the employee representatives in a consultation process. Make sure you do so before you roll out your monitoring system. The Luxembourg financial regulator, the CSSF, has already provided minimum standards in terms of access management (with a strict “least privilege” policy), secure (encrypted) communications, compulsory monitoring of connections, and the requirements to activate distance access in exceptional circumstances.
Remote working can endanger business information and personal data, depending on the tools chosen
Make sure you don't lose the protection working in the office provides, such as the confidentiality of business information and the protection of personal data relating to your employees. Check carefully the terms of any screen-sharing or videoconferencing tool you wish to use, as some allow the provider to reuse the shared content or to analyse conversations.
Revisit IT outsourcing arrangements
The last few weeks have shown that even when companies and organisations do not encounter problems themselves, their suppliers may, which could have an adverse effect on their business. Therefore, in the IT context, it is prudent to revisit outsourcing arrangements and verify the impact of potential delivery failures by external service providers.
Would you like to stay up to date of our publications regarding COVID-19? Register here. We will send you a weekly update with the latest publications.