Coronavirus and Workplace Testing: How do we comply with Data Protection?

As the Government gradually eases lockdown restrictions, it has permitted different types of organisation to return to work. Those businesses which have not yet returned to work will be planning how they might do so in a way which protects the health and safety of their employees, whilst adapting to the “new normal” in legally compliant way.  For further detail on the Government's guidance on how businesses can ensure employees can return to work safely, see our Health & Safety update - how do companies now remain 'COVID secure'?

As part of this, many companies will be planning to roll-out workplace testing to determine whether their employees have been infected by COVID-19.  Further to recent guidance issued by the UK Information Commissioner's Office (“ICO”), this article looks at how businesses can test their employees in a way which complies with data protection legislation.

 Does Data Protection law impact Workplace Testing?

Yes.  However, it does not prevent you from conducting workplace tests. The key thing is that you conduct your tests in a careful and responsible way.If you test your employees, you will be collecting and processing their personal data. This means your processing will be subject to GDPR and the UK Data Protection Act 2018 (“DPA 2018”).  So, you must process the test data in a fair, lawful and transparent way.It is also likely that you will be collecting your employees' health data. This type of data is “special category” data under GDPR/DPA 2018, and attracts extra protections under the legislation.

What are the Lawful Grounds for Testing our employees?

You should be able to process COVID-19 data relating to your employees if you have good reasons for doing so. Most employers will be able to rely on legitimate interests as a ground for processing their employees' personal data, but they should conduct a legitimate interests assessment before they proceed. If you are a public authority conducting a public function, then you might be able to rely on the ground that you are carrying out a public task.You will also need a lawful ground on which to process COVID-19 health data. In that case, it is likely you could rely on processing of the data in the context of employer health and safety obligations. 

We know that we have accountability obligations under GDPR. How do we show compliance?

If you are planning to process COVID-19 health data, then you should first conduct a data protection impact assessment (“DPIA”) which focuses on new processing risks involved in your proposed testing.The DPIA should set out the details of your proposed processing, and identify any privacy risks this creates. It should also discuss whether your proposed testing is necessary and proportionate, and what you can do to mitigate any privacy risks you have identified.If your DPIA shows that you have satisfactorily mitigated any risks, and that your testing is necessary and proportionate, then it will be a valuable document to demonstrate that your testing processes data in a compliant manner. Given that things are moving quickly in the midst of the COVID-19 crisis, it is also important to keep your DPIA under review. Back to the top

Do we need to take care not to collect too much data?

Yes - especially when you are processing health data. You must ensure that the data you collect is just enough to fulfil your stated purposes for testing. You should also ensure that the data you collect is relevant to those purposes. Once you have collected the data, you will need to ensure it is kept accurate and up to date, to comply with GDPR principles. 

What do we need to tell our Employees?

The GDPR places an emphasis on transparency, so be clear and honest with employees from the outset regarding how and why you will test them. This includes any decisions you make about the employees regarding their COVID-19 health data.If you can, you should provide your employees with a privacy notice before you test them. If this is not practicable, you should at least advise them of the basics around how/why you will test them; what you will use their data for; and for how long you will retain their data.

 What if an Employee tests positive? Can we tell their colleagues?

Data protection does not prevent you from safeguarding the health and safety of your staff. You can tell them about potential or confirmed COVID-19 cases, but you should not disclose the names of the affected individuals - this is part of the obligation to process as little data as possible. Back to the top

An Employee arranged their own test and disclosed the results to us. What should we do with those results?

You should ensure that the information is appropriately secure. You might also owe a duty to keep the results confidential. Do not collect, use or share such data unless it is relevant, proportionate and necessary to do so. 

What about using technology such as temperature checks or thermal cameras on our site(s) to monitor our staff?

These technologies tend to be privacy-intrusive, so you should proceed with due consideration.  Can you achieve your purposes through less intrusive means? If so, that might be a better option. Otherwise, ensure that your employee monitoring is necessary and proportionate, and be clear, open and honest with your staff about your monitoring. Again, you can undertake a DPIA in respect of any surveillance systems you intend to use - this will help you implement your monitoring in a lawful way and demonstrate your compliance with data protection law.For further information on how to comply with data protection law during the Coronavirus crisis, particularly when a large section of your employee population are working from home, see The show must go on - Data Protection Compliance in the time of Coronavirus and Data Protection Law - Scope and Application.

---

If you would like to talk through the consequences for your business, please email us and one of our team will get in touch.