Newsletter Covid-19 Edition 2020

Welcome to the newsletter. This is a special edition focusing on the Covid-19 pandemic.

Business Legal specialises in four core areas. These are the 3 core regulatory areas for employers, plus Legal Project Management.

  1. Health and Safety
  2. HR and Employment
  3. Data Protection and Privacy
  4. Legal Project Management/General Counsel services

Almost uniquely, this pandemic touches upon all of these 3 core areas.  We thought it would therefore be useful to provide advice and tips to employers in all three areas at this difficult time.

Health Data processing.

To be legally compliant with data protection law, an employer must have a “lawful basis” or justifiable reason to process an employee’s personal data.

Ordinarily, under the GDPR, these reasons could include:

  1. employee consent;
  2. where the processing is necessary for the performance of a contract to which the data subject has agreed;
  3. for compliance with an employer’s legal obligation;
  4. where the processing is necessary to protect to protect an individual’s vital interests;
  5. where the processing is necessary in the public interest;
  6. where the processing is necessary for the purposes of legitimate interests pursued by the employer.

Health data used is considered a ‘special category’ of personal data under the GDPR. Processing of special categories of personal data is prohibited unless additional legal bases apply. Therefore, in addition to having one of the above legal bases for processing, the employer must ALSO have one of the following legal bases:

  1. explicit consent;
  2. where the processing is necessary for the performance of specific rights or obligations in employment/social security/social protection law or a collective agreement;
  3. where the processing is necessary to protect to protect an individual’s vital interests where the data subject is physically or legally incapable of giving consent;
  4. where the processing is carried out by a non-profit body in certain circumstances;
  5. where the processing related to personal data made public by the data subject themselves;
  6. where the processing is necessary for the establishment, exercise or defence of legal claims;
  7. where the processing is necessary for reasons of substantial public interest;
  8. where the processing is necessary in some limited other circumstances as set out in Article 9 of the GDPR, most particularly :
  • where processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law;
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional where the data is processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law

Explicit consent (i.e. stated consent, or consent signified by some positive action such as ticking a box, not just consent which may be inferred from circumstances) given by the data subject to process their data is one of these additional legal bases, however employee consent is often not considered true consent due the asymmetrical nature of the employer/employee relationship.  Also note that ‘Legitimate interests’ are not available as a legal basis to process health data

What are the essentials of Health and Safety applying to Covid-19 in Ireland?

It is not always fully appreciated that Health and Safety law is primarily aimed at the employment relationship.  It primarily deals with the responsibility of employers to protect the health, safety and welfare of their employees.  Whilst there are obligations on certain organisations to protect members of the public who have access to their premises and facilities, there is much less detailed emphasis on the public in Irish law than there is on protecting employees.

All employers are required to have a Safety Statement, which must be a “living” document.  By this we mean that preformatted standard documents are almost useless as a Safety Statement.  Many employers unfortunately have Safety Statements which are very general statements of intent.  In fact, a safety statement is meant to be based upon specific risk assessments which the employer has done, detailing the specific risks to the health and safety of employees in that organisation.  Safety Statements should be updated to take account of the Covid-19 Crisis.

“Example of public health issues not being directly part of HSA role”

The announcement in the newspapers over the weekend that the Health and Safety Authority did not inspect any workplaces in the last eight weeks came as a shock to many.  However, under SI 370/2016 transmissible diseases are not one of the dangerous occurrences which are reportable to the HSA. Covid-19 cases are reportable by medical practitioners become aware of suspects and instance of the disease under SI 53/2020 Infectious Diseases (Amendment) Regulations 2020.  The Department of Health is the lead department in relation to Covid-19.

Government Guidelines on getting back to work during the pandemic.

The Government has issued a Return to Work Safely Protocol in relation to Covid-19.  We set out the essential requirements on employers below, together with a link to the very much more detailed guidance contained in the Protocol itself.

Requirements on employers.

  1. Develop/update a Covid-19 Response Plan.  Details for what should be in a plan are set out in the Protocol.
  2. Update Risk Assessments and Safety Statement.
  3. Keep a log of contact/group work to facilitate contact training and advise employees of the existence and purpose of the log.
  4. Display Covid-19 information.
  5. Implement temperature testing in line with Public Health advice.
  6. Put in place necessary controls as identified in the employer’s updated Risk Assessment.
  7. Have a pre—return to work form for workers to complete at least 3 days in advance of the return to work.  The form should seek confirmation from the worker that to the best of their knowledge, they have no symptoms of Covid-19 and also confirm that the workers not self-isolating or awaiting the results of a Covid-19 test.  Some specific questions as set out in the Protocol MUST be contained on the form.
  8. Put in place induction training for all workers on Covid-19 as specified in the Protocol. 
  9. Appoint an appropriate manager to deal with suspected cases of Covid-19.
  10. Identify a designated isolation area in advance of any Covid-19 cases.
  11. Provide Ventilation, PPE, Disinfectant and sanitising equipment, clinical waste bags.
  12. Provide appropriate hygiene facilities to enable hand hygiene.
  13. Provide for good respiratory hygiene.
  14. Provide for a distancing across all work activities.  Detailed guidance is as set out in the Protocol.
  15. Employers are NOT required to report Covid-19 cases to the Health and Safety Authority. That is the duty of medical practitioners.

The Return to Work Safely Protocol itself can be found at the following links:-

In English:

In Irish:

Covid-19 Business Support Schemes.

Pandemic Unemployment Payment

Covid-19 Wage Subsidy Scheme

Covid-19 Income Support Scheme

Short-Time Work Support

Covid-19 Online Retail Scheme

Covid-19 Credit Guarantee Scheme

Covid-19 Business Loans

Covid-19 Working Capital Scheme

Covid-19 funding under Future Loans Scheme

Employment law aspects of the Covid-19 pandemic

The Covid-19 pandemic raises quite a few employment law issues.  Many organisations are fighting for their existence, and drastic measures may have to be taken.  This is against the backdrop wherein it is normally difficult to change terms and conditions of employment, and where there is an economic cost to making redundancies over and above the cost of statutory redundancy.

Here are a few pointers in relation to some of the problems, but also the potential for restructuring afforded by the crisis.

Firstly, terms and conditions of a contract of employment cannot be unilaterally changed.  This is because a contract of employment is first and foremost a contract, and a contract which can be unilaterally altered by one side removes the essence of a contract (i.e. a bargain between 2 sides).

In mediaeval times, an employee was an indentured servant, but there were still limits to the way in which the employer could unilaterally change that arrangement.  In modern times, an employer is fettered by European Union law, national law, constitutional provisions, collective agreements and employment regulation orders, case law, and custom and practice.  Notwithstanding all this, it is possible in most instances to change the terms and conditions of employment by agreement between the employer and the employee.  In some circumstances that agreement from the employee is deemed to come through acquiescence (i.e. not objecting to the proposed changes within a reasonable timeframe).  A lawyer’s rule of thumb for a term and condition to become incorporated into a contract of employment is approximately 6 months. 

In the current crisis though, many employers do not have the luxury of waiting 6 months.  Their options are therefore curtailed to such changes as they can make by agreement.  The reality though, is that faced with an existential threat to an organisation, particularly private organisations, many employees have little choice but to accept substantial changes in working conditions, and terms of employment in return for the continuation of that employment.  The alternatives to this are layoff, short-time working, or redundancy. 

Layoff is a form of temporary redundancy, wherein the employee remains employed by the employer, but is simply not required to work for the period.  Short-time occurs when an employee’s hours or remuneration is reduced to less than one half of their former level.

After 4 continuous weeks on layoff or short time, or 6 weeks within a 13-week period, an employee becomes entitled to claim redundancy from the employer.

If the employee does not claim redundancy, then absent any other claim, such as a discrimination claim, a penalisation claim or a claim for constructive dismissal, the layoff or short time can continue indefinitely.

The reality for many employers therefore is that they can put staff on layoff or short time and see how matters go for a period of time.  It is possible for employees to claim the Pandemic Unemployment Payment if they are on layoff.  Employees who are on short time or layoff can be paid through the Temporary Covid-19 Wage Subsidy Scheme.

Many employers may decide that it is simply easier to make some employees redundant.  Whilst the Workplace Relations Commission (“WRC”) are very alive to the prospect of particular employees being targeted for redundancy because the pandemic is seen as an opportunity to get rid of them, it will be very difficult to argue that a specific employee has been targeted, in circumstances where multiple employees are being made redundant at the same time.  In blunt terms, if employees were considering a round of redundancies, or if they had specific areas that they were considering targeting, now is as good a time as any to proceed with this.

DPC ramps up enforcement

In addition to fining TUSLA €75,000 last week for 3 data breaches, the DPC have issued a 2nd decision against TUSLA, and TUSLA have 28 days to appeal that decision.

The DPC have also sent a draft decision in relation to Twitter under Article 60 of the GDPR to all of the other data protection regulators in the EU.  Article 60 concerns cooperation between data protection authorities in Europe in circumstances where an organisation with multijurisdictional reach is being investigated by a “lead supervisory authority” (in this instance the DPC).  The other data protection regulators now have 4 weeks to comment on the draft decision.

In similar vein, the DPC have sent a draft decision to WhatsApp Ireland Ltd for their comments/submissions prior to the draft decision being finalised.  When that draft decision is finalised, it will be sent to the other EU data protection regulators in similar fashion to the Twitter draft decision.

If the other EU data protection regulators have no objection to the decision, the DPC will issue their decision.  Given the size of the previous EU GDPR fines against large tech companies, and the existence of a consistency mechanism under Article 63 (which can be invoked if the DPC does not follow any reasoned objection made by one of the other EU data protection regulators) it is not unreasonable to expect that if the finding is adverse to Twitter, then the result will be a large administrative fine.

Lastly, and potentially driving the above, is the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18).  In his recent Opinion, Advocate General Saugmandsgaard Øe gave the view that the DPC should have been more proactive in dealing with matters, and that it was the duty of data protection regulators to proactively enforce the GDPR.  The Opinion of the Advocate General is a preliminary stage in ECJ and CJEU proceedings where a reasoned opinion is set out.  It is open to the full Court to depart from the decision, and the reasoning, in the Opinion, but it usually does not do so.

The full Court is scheduled to give its judgement in the case on 16 July next.  If it follows the reasoning of the Advocate General, then we can expect a much more proactive Data Protection Commission,