Workplace testing may be possible but employers need to consider data protection compliance carefully
The ICO has issued guidance for employers who may wish to test employees for COVID-19 or ask them for their test results.
Clarity that data protection law applies
The ICO points out that employers must consider data protection law because they will be processing information that relates to an identified or identifiable individual and so must comply with the GDPR and the Data Protection Act 2018. Data protection law does not prevent organisations from taking the necessary steps to keep staff and the public safe and supported during the present public health emergency, but it sets out parameters.
Lawful basis for testing employees
Public authorities carrying out their function are likely to be able to use the public task basis in the GDPR, otherwise legitimate interests is likely to be the appropriate lawful basis of use.
Due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law. As such, employers must also identify an Article 9 condition for their processing.
The relevant condition will be the employment condition in Article 9(2)(b), along with Schedule 1 condition 1 of the DPA 2018. This applies due to employer health and safety obligations. This condition will cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data.
Employers will need to show that their processing of test data is compliant and to do so will need to use the accountability principle. This means that an employer must be able to demonstrate compliance such as additional recording keeping requirements when processing sensitive data. One way of doing this is through a data protection impact assessment (DPIA). This should set out: the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place to counter the risks; and a plan or confirmation that mitigation has been effective.
DPIAs are designed to be flexible, as appropriate to the context, and they should be regularly reviewed and updated. This is especially important in a fast-moving crisis situation, as new risks and benefits emerge.
For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information needed to fulfil the employer’s purpose. Therefore, employers should ensure that data is adequate – enough to properly fulfil the stated purpose; relevant – has a rational link to that purpose; and limited to what is necessary – employers do not hold more than needed for that purpose.
In the context of test results, employers should ensure that they do not collect unnecessary or excessive information from people. For example, they should just collect the result of a test rather than additional details about underlying conditions. Employers should be able to demonstrate the reason for testing individuals or obtaining the results from tests.
Personal data held must be accurate. As such, employers should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid.
Information about employees with symptoms or a positive test result
The ICO says that employers can keep lists of employees who either have symptoms or have been tested as positive. However, they must ensure that the use of the data is actually necessary and relevant for the stated purpose. Employers must ensure that the data processing is secure, and consider any duty of confidentiality owed to employees. They must also ensure that such lists do not result in any unfair or harmful treatment of employees. For example, this could be due to inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time. In addition, it would not be fair to use, or retain, information collected about the number of staff who have reported symptoms of COVID-19 for purposes they would not reasonably expect.
Employers should be clear, open and honest with employees from the start about how and why they wish to use their personal data. This is crucial when processing health information. If testing employees for COVID-19 or checking for symptoms, employers must be clear about the decisions they will make with that information. Ideally employers should have clear and accessible privacy information in place for employees, before any health data processing begins. However, the ICO appreciates that this may not be possible at this time. However, as a minimum, employers should at least let staff know what personal data is required, what it will be used for, and with whom it will be shared and for how long it will be kept.
The guidance highlights that employers should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, they should avoid naming individuals if possible, and should not provide more information than is necessary.
Duty of care
Employers have a duty to ensure the health and safety of all their employees. Data protection does not prevent this, and should not be viewed as a barrier to sharing data with authorities for public health purposes, or the police where necessary and proportionate. Employers also need to consider any risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach.
Staff information rights
So that individuals can exercise their information rights, employers need to understand what personal data is held and the uses to which it will be put – as mentioned above, transparency is crucial and information needs to be accessible and easy to understand. Employers also need to put processed in place to allow staff to exercise their rights.
Asking staff to disclose results of their own tests
If staff voluntarily disclose test results to an employer, the employer must have due regard to the security of that data, and consider any duty of confidentiality owed to those individuals who have provided test results. Employers should make sure that their use of the data is necessary and relevant, and that they do not collect or share irrelevant or excessive data to authorities if this is not required.
Temperature checks or thermal cameras on site
When considering the use of more intrusive technologies, especially for capturing health information, employers need to give specific thought to the purpose and context of its use and be able to make the case for using it. Any monitoring of employees needs to be necessary and proportionate, and in keeping with their reasonable expectations. Again, transparency is key. Employers should also think about whether the same results can be achieved by other less intrusive measures. If so, such monitoring may not be considered proportionate.
The Surveillance Camera Commissioner (SCC) and the ICO have worked together to update the SCC DPIA template, which is specific to surveillance systems. This will assist organisations considering the use of thermal cameras or other surveillance.