Globally, employers are looking at methods of returning to work safely and limiting the risk of contamination in the workplace. As such, workplace testing (temperature or screening) is increasing. Whilst businesses in the UK are not being actively encouraged to routinely test employees, testing is not prohibited and many businesses are already doing so in an attempt to protect their staff and the public.
If you do introduce workplace testing, you will be processing individuals’ personal data and must, therefore, comply with data protection laws (namely, the GDPR and Data Protection Act 2018). In fact, your obligations will be enhanced, as health information is “special category data”, which requires an additional layer of protection to “standard” personal data.
The ICO has now issued guidance on how to comply with data protection law when conducting tests, including how to approach testing in the workplace, how much data can be collected and what data can be retained, and we summarise the key things to be aware of below.
How do I comply with data protection law when conducting tests?
In order to do workplace testing and process the health data gathered, employers must tick three boxes:
- Comply with the data processing principles, including handling data in a lawful, fair and transparent way.
- Have a “lawful basis” for the processing.
- Satisfy an additional “condition” (see below).
Before commencing tests, be transparent with staff, making clear:
- what personal data is required;
- what it will be used for;
- who you will share it with; and
- how long you will keep it.
Ideally, this should also be reflected in your written privacy notice before any health data processing begins.
For most employers, the lawful basis will be “legitimate interests”. To rely on this, the testing:
- must be “necessary” for the employer’s legitimate interests or the interests of a third party (which includes wider benefits to society); and
- must not “override” the individual’s rights. This second limb involves a balancing exercise between the employer’s / third party’s interests and the individual’s interests. Given the global pandemic, this balance should fall in the employer’s favour. However, you should do your own legitimate interests assessment (LIA) and keep a record of this to help you demonstrate compliance, if required.
The “condition” for processing the health data will be that it is necessary to comply with employment law, which would include ensuring the health, safety and welfare of employees. This is subject to one major caveat, which is that you must have an appropriate policy document in place - namely, a data protection policy or privacy notice. If you do not have such a document or it needs updating to deal with the current situation, please get in contact with BPE's Employment Team.
A key principle within data protection law is “accountability”, namely being able to demonstrate compliance. One way of doing this when processing particularly sensitive data (such as health data) is through a data protection impact assessment (DPIA).
We would recommend conducting a DPIA before introducing testing and processing health information, using the template available on the ICO website. In essence, this would set out:
- the activity being proposed - namely, the type and frequency of testing;
- the data protection risks;
- whether the proposed activity is necessary and proportionate - explain why it is;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
Once you have done an initial DPIA for the testing, regularly review and update this as the pandemic progresses.
Is it possible to collect too much data?
Another key principle in data protection law is “data minimisation”. Essentially, this means processing (collecting, retaining etc) as little data as possible and restricting this to what you absolutely need to fulfill your purpose.
In relation to employee testing, you should only collect the data needed to determine whether an employee has symptoms of the virus or the virus itself. In addition, you should only retain the result of a test, rather than additional details about underlying conditions.
Can I keep a list of employees who test positive or show symptoms?
Yes, provided that it is necessary and relevant for your purpose. For example, keeping records of such data may be necessary when determining who is able to return to the workplace or meet with clients.
If you retain data, this must be stored securely and treated confidentially, and you must ensure that this does not result in any unfair or harmful treatment of employees.
As data protection law also requires that any personal data you hold is accurate, ensure that you record the date of any test results, because the health status of individuals may change over time and the test results may no longer be valid.
Can I share test results with the relevant authorities?
Yes, provided that you do not share irrelevant or excessive data.
If an employee gets themselves personally tested and shares this with me, what should I do with this?
As above, you should consider whether it is necessary and relevant to your “purpose” to keep a record of this. If it is, ensure that you store this securely and treat it confidentially, and do not share irrelevant or excessive information with authorities.
Can I inform staff if a colleague tests positive?
As you have a duty to ensure the health and safety of your employees, you should keep staff informed of any potential or confirmed cases. However, you should avoid naming infected individuals where possible and provide no more information than is necessary to staff.
What about having thermal cameras on site to monitor staff temperatures?
As this is very intrusive, you would need to carefully consider why and how you would use these and whether there is a less intrusive way of achieving your aim. If there is, the monitoring is likely to be disproportionate.
You should complete an SCC DPIA, a specific DPIA which has been updated by the Surveillance Camera Commissioner and ICO.
You should also be transparent with staff.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.