The ICO has published guidance for employers on the data protection implications of workplace testing for COVID-19. The guidance answers questions frequently asked by employers as they contemplate workplace testing, including how much information they need to give their employees and whether they can keep lists of employees with symptoms. We have set out below a summary of the current guidance.
Do I need to consider data protection law if I want to carry out tests to check my staff for symptoms of COVID-19?
Yes – anyone processing information relating to an identifiable individual must comply with the General Data Protection Regulation (GDPR) and Data Protection Act 2018. This includes handling information lawfully, fairly and transparently. This is particularly relevant for personal data relating to health as it is classed as more sensitive ‘special category data’.
Which lawful basis can I use for testing employees?
Public authorities carrying out their function should process health data under the ‘public task’ basis. Other public or private employers should consider the ‘legitimate interest’ basis and make their own assessment.
As health data is ‘special category data’, employers must also identify an Article 9 condition for their processing. Here, the relevant condition may be the ‘employment condition’ under Article 9(2)(b), which covers what employers will need to do to comply.
How can I show that our approach to testing is compliant with data protection law?
Employers should demonstrate their compliance with the GDPR by keeping accurate records of data processing and by undertaking a data protection impact assessment (DIPA). Testing for COVID-19 will involve processing new health information and organisations should therefore conduct a DIPA focussing on new areas of risk.
This DIPA should set out the activity proposed (i.e. testing), assess the data protection risks and ascertain whether the testing is necessary and proportionate. It should also consider how to mitigate the risks of processing this information and contain a plan to ensure any such mitigation is effective. DIPAs should be regularly reviewed and updated but particularly in these circumstances as new risks regularly emerge in a fast-moving crisis situation.
How do I make sure I don’t collect too much data?
It is important to only collect and retain the minimum amount of information needed for the relevant purpose (i.e. testing), particularly when dealing with special category data. This means not collecting excessive data from employees that is not required for testing.
In order to adhere to this, employers should consider:
- Refraining from asking employees for details about underlying health conditions unless specifically relevant to their COVID-19 diagnosis.
- Reviewing all available testing options to ensure tests only collect appropriate results.
- Dating any test results so that it can be determined whether personal data held is accurate.
Can I keep lists of employees who either have symptoms or have been tested as positive?
Yes – as long as the lists are necessary and relevant for the purpose of testing. Employers should also ensure that their data processing is secure and maintain their duty of confidentiality to their employees. Similarly, employers should ensure that the lists do not cause employees to be unfairly treated, for example by failing to keep the tests confidential, recording information inaccurately or retaining the lists for other purposes.
How much do I need to tell my staff?
It is important that employers are transparent with employees about how and why they want to use testing. Before carrying out any tests, employers should explain what personal data is required, what it will be used for, who it will be shared with and how long it will be kept. Employers should also invite employees to discuss any concerns with them directly.
Can I tell employees or third parties that someone has tested positive?
If possible, employers should avoid individually identifying employees with symptoms of COVID-19 or who have tested positive and should only share necessary information with other employees. However, employers ought to keep staff informed of any potential or actual cases of COVID-19 in the workplace as they have a duty to ensure the health and safety of their employees. It is also important that data protection is not viewed as a barrier to sharing data with the authorities for public health purposes or the police.
Some staff already have the results of their own tests. What happens if they disclose these to me?
Employers ought to have due regard to the security of any data voluntarily disclosed to them and should consider their duty of confidentiality to employees providing test results. They should focus on making sure any use of data is necessary and relevant and that irrelevant or excessive data is not collected or shared.
Would it be appropriate to use temperature checks or thermal cameras on site as part of testing or ongoing monitoring of staff?
Employers should consider whether monitoring employees with intrusive technology is a necessary and proportionate means of testing the workforce or whether a less intrusive approach could achieve the same results. As above, transparency about such methods is key to protect employees’ rights and preserve the relationship between employer and employee.
The ICO directs employers to consult the Surveillance Camera Commissioner (SCC) DIPA template which is specific to surveillance systems and is aimed at helping employers consider the risks associated with using thermal cameras or other surveillance in the working environment.
Comment
These FAQs supplement the ICO’s other guidance and its statement on its regulatory approach to the pandemic.
It’s important to note that the approach taken by the government to COVID-19 varies between England, Wales, Scotland and Northern Ireland. Employers should therefore ensure, alongside complying with the above guidance, that they are complying with the relevant local requirements for each of their premises, including adhering to any local differences that may be introduced as the UK moves out of lockdown. Employers should also check the guidance regularly as it may be updated.
Kerry Garcia
Beverley Flynn