Following the limited relaxation of lockdown restrictions by the UK Government and the likely return to the workplace of at least some employees, the UK Information Commissioner’s Office (ICO) has published some helpful guidance for employers on the data protection issues raised by workplace testing for coronavirus.
The guidance notes that, although data protection law does not stop employers taking measures that are required to protect their staff and the public during the coronavirus pandemic, personal data must be handled carefully.
The guidance makes clear that employers must consider the requirements of the GDPR and the UK Data Protection Act 2018 (DPA) if they plan to conduct tests to confirm whether employees are suffering from COVID-19 or any relevant symptoms. Employers will likely be collecting both personal data and “special category” health-related data (which attracts more stringent protection) and compliance will involve processing relevant data lawfully, fairly and transparently.
The guidance considers which lawful basis for processing employers will be able to rely on when carrying out testing. It notes that, provided there is good reason for processing health data about COVID-19, for public employers (other than public authorities) and private employers the “legitimate interests” basis may well be appropriate. Regarding special-category health-related data, the ICO suggests that the “employment” condition, which relates to employers’ health and safety obligations, is likely to be relevant, provided that no irrelevant or unnecessary data is collected or shared.
The guidance also reminds employers to comply with the “accountability principle”, meaning that employers must be able to evidence their compliance, for example, by carrying out data protection impact assessments (DPIAs) focusing on new risk areas. The guidance outlines the areas that DPIAs should cover, noting that a template is available to assist organisations in focusing on the minimum requirements, and confirms that DPIAs should be regularly refreshed.
The ICO also emphasizes the importance of data minimization in respect of health-related data, observing that such data should be adequate, relevant and limited to what is needed. Excessive information should not be collected regarding test results (e.g. only the test results themselves, but not information about underlying conditions will likely be required). Employers should also be able to show why they are testing individuals or collecting test results and ensure that this is proportionate and necessary, taking account of all available testing options. The importance of the accuracy of personal data is also noted.
The guidance confirms that employers can keep lists of employees who test positive for, or display symptoms of COVID-19 in accordance with certain conditions, provided that these do not lead to any unfair or harmful treatment of employees. Information regarding employees who have reported symptoms should also not be used for purposes that employees would not reasonably expect.
Regarding transparency, employers must be clear with their employees about how their health-related data will be used and what decisions will be made based upon it. Ideally, appropriate privacy notices should be implemented prior to commencing any health-related data processing, although the ICO acknowledges that provision of detailed information may be difficult in the current circumstances.
The guidance notes that employees should be informed of possible or confirmed instances of COVID-19 among their colleagues, although affected individuals should not be named if possible and information disseminated to staff should be minimized. Relevant data can also be shared with authorities for public health purposes or the police if necessary and proportionate, in accordance with the DPA. Wider risks to the public should also be considered.
The ICO also stresses the need for employers to ensure that employees are able to exercise their information rights, suggesting that systems could be implemented to facilitate this (e.g. by establishing secure portals allowing employees to manage and update their personal data).
The guidance notes that voluntarily disclosed results of tests arranged by employees should be kept secure and confidential, with employers considering whether use of such data is relevant and necessary.
Finally, the guidance considers whether use of temperature checks or thermal cameras in workplaces as part of testing or ongoing monitoring of staff is appropriate. Such technologies are regarded as intrusive, so employers should consider whether their use is proportionate and justifiable and would reasonably be expected by employees. Use of the Surveillance Camera Commissioner’s DPIA template is recommended.
Although relatively high-level, this guidance will no doubt be welcomed by any data controllers considering employee testing as part of a return to the workplace and provides food for thought regarding the related data protection issues. It should be remembered that employment law and health and safety issues will also require consideration, as well as any local differences implemented by the devolved administrations.