With preparations now gathering momentum for a return to office working of sorts, many are grappling with the complex issues that operating a safe - and lawful – working office environment presents. In a series of articles experts from our Real Estate Sector Group are looking at some of these issues, offering practical and essential guidance. In this second article in the series, David Varney, a Director in our technology team, reviews some of the data protection and privacy issues that commercial landlords and their tenants need to consider before implementing any screening measures, in particular, some of the potential measures that might involve processing workers’ personal data and sensitive information.
Why does GDPR matter to commercial landlords and tenants when offices re-open?
To ensure workplace safety and to comply with government guidance, commercial landlords and tenants may consider introducing on-site temperature checks, COVID-19 screening questionnaires, self-declarations, or other forms of health screening. Collection and processing of personal data and health data of individuals are regulated by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”), which many commercial landlords may not have previously dealt with on a daily basis.
GDPR requires any organisations processing personal data to do so fairly, transparently and on legally-justified grounds. An organisation which decides what personal data to collect and how it is processed is a controller of data and will bear more responsibility than organisations that merely carry out the instructions of that controller (known as data processors).
Failure to meet the requirements of GDPR could potentially lead to fines of up to £17,000 or four per cent of global turnover, whichever is higher. Whilst the ICO’s announcements during the pandemic have shown that it would take a proportionate and compassionate approach when enforcing data protection legislation, a serious data breach of sensitive data could still lead to monetary fines.
What are commercial landlords and businesses’ obligations in respect of onsite COVID-19 screening?
Businesses naturally have legal obligations under both employment law and health and safety regulation to ensure the safety of their workplace.
It is conventional for commercial leases to include provisions under which landlords must comply with legislation. For properties with multiple occupiers, it is also in the landlord’s interest to ensure that any screening and social distance measures are coherent and robust to limit the risk of sudden office closures due to COVID-19 positive cases.
Who should be carrying out the onsite screening and how to do so lawfully under GDPR?
An organisation may only process personal data if it can justify the processing on one of the GDPR-prescribed grounds. Processing of health data requires additional conditions prescribed by the DPA to be met.
Some of those grounds and conditions are only available to organisations that are collecting personal data to comply with their obligation as employers. For an office with a single occupier, it may therefore be appropriate for the occupier to perform and design the workplace COVID-19 screening in its role as an employer.
In offices with multiple occupiers or serviced offices however, it may be logistically and contractually more sensible for the landlord to work with occupiers to design and perform the COVID-19 screening, as any test or screening is likely to be carried out in the common area of an office building. The government’s guidance on maintaining social distance in offices and contact centres also emphasises the importance of collaboration between commercial landlords and tenants. In those cases however, it is crucial for commercial landlords to seek legal advice on data protection compliance before carrying out on-site COVID-19 screening. This is because if a landlord is considered to be a “controller” of the personal data, the prescribed grounds on which a landlord may justify the processing of workers and visitors’ health data are very limited and often conditional. Landlords may need to rely on workers’ and visitors’ explicit, informed and freely-given consent, meaning that in practice the on-site screening is unlikely to be strictly mandatory.
Apart from finding a regulatory justification to carry out the on-site screening, commercial landlords will also be required by GDPR to provide individuals with the appropriate privacy information, ensure any data collected is proportionate to the justification relied on, and carry out data protection impact assessments to demonstrate compliance. Commercial landlords will inevitably want to share the data collected with the relevant tenants, contractual arrangements should be put in place to ensure lawful data sharing and fair risk allocation. For further details on the ICO’s latest guidance on workplace COVID-19 testing, please see our article here.
Other measures to maintain social distancing
On-site screening is likely to be one of a series of measures commercial landlords and businesses will need to consider to maintain social distance when offices do re-open. For example, clear signage, restrictions to lifts, additional cleaning, provision of masks and modifications to offices could all be useful measures. However, many of these measures may raise the difficult question of the impact on service charges at a time when additional costs will be far from welcome.
If you would like any further information on any of the issues raised in this article or to discuss any other data protection law related issues in the context of real estate please contact either David Varney.
Also, our COVID-19 Support Hub includes a collection of helpful resources in relation to both Data Protection and Real Estate issues.
If you need assistance in relation to any other area of the law in connection with the use and occupation of your office space, whether you are a landlord or tenant, please contact Richard Clark, head of our Real Estate Sector Group.