Jagvinder Singh Kang stresses the importance of early action on data protection if employers seek to introduce workplace testing for coronavirus
With the lockdown being relaxed and employees starting to return to work, there will be concerns, both for employers and employees, about the risk of coronavirus contagion within the workplace. This is particularly the case as: the Test and Trace system launched by the Government is suffering from some initial issues in relation to its efficacy; and the NHSX contact tracing app is still to be launched.
Consequently, some employers may wish to embark upon workplace testing for coronavirus as part of their risk assessment and mitigation measures. However, it is important to bear in mind that such testing cannot simply be put into place overnight. Employers thinking of implementing workplace testing should be planning for it now.
Alongside the HR and regulatory aspects relating to workplace testing, compliance with data protection laws is absolutely fundamental. Amongst the key principles which must be borne in mind are those relating to the processing of personal data in a lawful, fair and transparent manner.
The Importance of Data Protection Impact Assessments
The starting point should be to undertake a Data Protection Impact Assessment (DPIA). This will help formulate the various aspects of the data processing arrangements required, as well as identify risks and mitigation measures. Furthermore, the DPIA assists with demonstrating accountability under the data protection laws.
A number of requirements will need to be considered and determined as part of the DPIA, such as:
- which personal data will be collected – this needs to be aligned with the legal requirements relating to ‘data minimisation’. Namely, only that data which is required to achieve the respective purposes is collected. The personal data which is gathered, also needs to be adequate, relevant and limited for such purposes. So, by way of example, it would be appropriate to record whether the result of a test is positive but it would not be appropriate to collect other underlying health information;
- how the personal data will be collected;
- how the personal data will be processed;
- how the data protection requirements for ‘accuracy’ will be upheld;
- who the personal data will be shared with (so data flows will also need to be considered);
- how and where the personal data will be stored;
- data retention arrangements, including how and when the personal data will be deleted;
Additional Data Protection Considerations
The above will also give rise to additional considerations, such as whether third party service providers are going to be used (including in respect of any Cloud processing or storage of personal data). In which case, further data protection considerations will need to be addressed, including:
Furthermore, mandatory data protection registers, identifying data processing activities, will need to be updated to reflect this new process.
Transparency is Key
One of the key criticisms that has arisen in the media about the Government’s Test and Trace system, as well as the forthcoming NHSX app, has been the perceived lack of transparency about the processing arrangements. At the moment, such negative views seem to be undermining the Government’s efforts. By analogy, it is therefore important that transparency of processing requirements are complied with within the workplace regarding any proposed testing, not only to comply with data protection legal requirements, but also to reassure employees about how their data is being handled. This can be accomplished using the information gained from the DPIA to formulate privacy notices. Where appropriate, employees should also be consulted about the proposed processing of personal data as part of the workplace testing initiative.
Proper Purpose Consideration
With regard to the data which is being collected and the purposes for which it is being used, one has to think beyond just the initial test. Organisations need to consider what they are going to do with the outcome of that test for both positive and negative results. Where someone has tested positive and an organisation undertakes internal contact tracing to seek to determine who else may have come into contact with an infected employee, some quite significant privacy considerations arise. For example, how is the internal contact tracing going to be conducted and by whom? If internal CCTV footage is intended to be used for such purposes, then this will also need to be addressed in the DPIA. Another consideration is whether internal contact tracing can be undertaken without revealing the identity of the infected individual to co-workers. It has already been noted with the Government’s forthcoming NHSX contact tracing app, that there can be situations where the identity of an individual can be deduced by their contacts, if such contacts have only had a limited number of interactions with third parties. This may also give rise to similar issues within the workplace. Therefore, the DPIA needs to factor in such considerations.
Respecting and Factoring In Data Protection Rights and Compliance
It is also important that employees are able to exercise all of their applicable data protection rights, including subject access rights, with regard to any workplace testing processes. Factoring this into the process during its initial formulation will help ensure compliance with the mandatory requirements of the data protection laws. Furthermore, this guards against having time, cost and resource intensive procedures having to be subsequently deployed, where this is being addressed in a reactive rather than proactive manner at the outset. Again, such considerations will form part of the DPIA.
The above should illustrate why it is vital that organisations start preparing now for any prospective workplace testing arrangements, well in advance of any proposed start date for them.
Jagvinder Singh Kang, is a specialist technology lawyer, data protection lawyer and qualified software engineer. He is also the International Head of IT Law at the leading law firm, Mills & Reeve.