Workplace testing for COVID-19 – complying with data protection law

COVID-19 has been described as the world’s biggest health crisis in modern times. It is recognized that quality testing provides confidence and clarity for employers and employees. Many employers are considering introducing their own internal testing programmes outside of the NHS’s Test and Trace.

If you are an employer considering running your own programme you will need to understand your legal obligations.

The Government has produced helpful general guidance on COVID-19 testing for employers. Read the Government Guidance here.

The Information Commissioner’s Office (ICO) has produced some data protection specific guidance. Read the ICO Guidance here.

Based on the Government’s and the ICO’s guidance, this article outlines some of the data protection issues that should be addressed.

Do I need to consider data protection law?

Yes. If you are processing information that relates to an identified or identifiable person, you need to comply with the UK GDPR and the Data Protection Act 2018. In some circumstances, you may also need to comply with the EU GDPR.

How can I show that our approach to testing is compliant with data protection law?

You must be able to show that you are accountable for your processing. A data protection impact assessment (DPIA) is a way of demonstrating accountability.

Further protections will be required to process special category data which includes information about health.

How do I decide if symptom checking, testing and the processing of employee health data is necessary?

To help you decide whether measures such as collecting employee health information or asking staff to be tested for COVID-19 are necessary, you should consider the specific circumstances of your organisation and workplace e.g.

  • the type of work you do;
  • the type of premises you have; and
  • whether working from home is possible.

You should consider the wider legal framework under which you operate e.g. whether specific regulations or health and safety requirements apply to your organisation or staff and whether you have a specific duty of care to employees.

Health data has extra protections.

Be clear about what you are trying to achieve and whether personal information is necessary for that purpose.

Ask yourself these questions:

  • Do you really need the information?
  • Will these steps actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information, in particular, without health information?

If you can show that your approach is reasonable, fair and proportionate, then data protection is very unlikely to be a barrier.

If you decide that it is necessary to test staff, you need to make sure you manage the information appropriately.

When considering if your approach can be less intrusive, the following questions may be useful:

  • Can you confine the collection of health data to the highest risk roles?
  • Can you limit access to health data, so that only medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility see it?
  • Do you have reasonable alternative measures which don’t rely on personal information, such as strict social distancing or working from home?
How do I decide what type of tests are necessary?

You need to consider whether the tests you select meet your reasons for running a testing regime.

You also should consider how effective these measures are at providing accurate results.

Which lawful basis can I use for testing employees?

The ICO advises that as long as there is a good reason for doing so, data protection law will provide a lawful basis for processing health data in relation to COVID-19. For public authorities carrying out their function, public task is likely to be applicable. For other public or private employers, legitimate interests is likely to be appropriate, but you need to make your own assessment for your organisation.

As Health data is ‘special category data’ employers must also identify an Article 9 GDPR condition for their processing. The relevant ones are likely to be the employment condition and the public health condition.

What do I need to tell my staff about testing?

As an employer, you should be clear, open and honest with employees and contractors from the start about how and why you need to process their personal data. This is crucial when processing health information. If you are testing employees or contractors for COVID-19 or checking for symptoms, you should be clear about what decisions you will make with that information.

You should have clear and accessible privacy information in place for employees and contractors, before any health data processing begins.

Before carrying out any tests, you should at least let your staff know what personal data you require, what it will be used for and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees and contractors with the opportunity to discuss the collection of such data if they have any concerns.

Can I make testing or checking for COVID-19 symptoms mandatory for my staff?

Not necessarily. Making testing mandatory is not simply a question of data protection. There are many other factors to consider, such as employment law and your contracts with employees, health and safety requirements and equalities issues.

If you make checks and tests mandatory, you must carefully consider whether your use of the data is fair and proportionate to the specified purpose (e.g employment or public health condition). You should take into account any potential negative consequences for individuals and whether using a voluntary approach could achieve the same or similar results. Before you put such measures in place, you must complete a DPIA.

How often should I check for symptoms or test employees?

This depends on the safety measures that your organisation needs to put in place. Any checking or testing of your staff and subsequent processing of their health information should be reasonable and proportionate to the specific circumstances including, in some cases, their role.

Individuals’ health status may change over time, so if you do decide to make any record of test results, you should ensure its accuracy by recording the date of the result where appropriate. You need to base any decisions you take on factually accurate information.

My organisation has commissioned a testing service for our employees. What information do I have to provide to employees about results?

Before carrying out any tests, you must tell your staff what personal information you require, what it will be used for and who you will share it with. You should also tell staff how long you intend to keep the data for.

It may be helpful for you to give employees the chance to discuss the collection of their data with you if they have any concerns. You should consider any potential negative consequences for staff and whether this means your use of their data could be unfair. Employees should also be informed about the rights they have in relation to this data, such as their right of access.

Some staff already have the results of tests that they have arranged for themselves. What are the data protection considerations if they tell me these results?

As an employer, any test results that your staff voluntarily disclose to you should be kept secure, and you should consider any duty of confidentiality you owe to those individuals who have provided test results. Your focus should be on making sure your use of the data is necessary and relevant and that you do not collect or share irrelevant or excessive data to authorities, if this is not required.

Can I keep lists of employees who either have symptoms or tested as positive?

Yes. If you need to collect specific health data about employees, your use of the data must be necessary and relevant for your stated purpose. You should ensure that the data processing is secure and consider any duty of confidentiality you owe to employees.

As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees, such as through recording inaccurate information or a failure to acknowledge an individual’s health status changing over time. It would also not be fair to use or retain information you collect about the number of staff who report COVID-19 symptoms for purposes they would not reasonably expect.

How do I ensure I don’t collect too much data?

For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.

In order to not collect too much data, you must ensure that it is:

  • adequate – enough to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.
Can I share the fact that someone has tested positive with other employees, and what do I need to consider if I am planning to disclose this information to third parties?

The ICO advises that you can share this information with staff and third parties. As a notifiable disease, employers must inform public health authorities when there are two or more cases of confirmed COVID-19 as it constitutes an outbreak. You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals if possible and you should not provide more information than is necessary.

Data protection law doesn’t prevent you from sharing data with relevant authorities for public health purposes, or with the police where this is necessary and proportionate.

Can I use CCTV or other forms of surveillance to monitor whether my employees are observing health and safety measures to respond to the COVID-19 pandemic?

Yes, if it is necessary, justified and proportionate.

You need to make an assessment of its necessity and proportionality in the circumstances. You should consider what changes are needed to your existing policies and procedures, and how using surveillance technology helps you to achieve your objectives. These considerations may feed into a data protection impact assessment.

Employees may not always expect to be monitored via video surveillance systems in their day-to-day roles. You should therefore consider if there are any less privacy-intrusive ways to achieve the same result.

If you do use surveillance systems, you should tell staff clearly what you are doing and why. You must ensure that you have notices, or other means, to clearly inform employees about the nature and extent of surveillance and its purpose(s). The ICO recommends telling staff what you have changed from your normal policies.

Making a decision as to whether you can justify the method of monitoring should involve:

  • establishing the benefits of the method of monitoring;
  • considering any alternative method of monitoring; and
  • weighing these benefits against any adverse impacts on staff.

You should regularly review the methods in use to ensure they are still achieving the intended purposes.

There is an updated DPIA template which is specific to surveillance systems. This will assist your thinking before considering the use of thermal cameras or other surveillance.

Can I use recorded CCTV footage to monitor who an employee has been in contact with, if they are subsequently diagnosed with COVID-19 or suffer symptoms?

In the context of COVID-19, the ICO recognises that analysis of CCTV footage could assist with contact tracing and inform when staff need to self-isolate. You should assess whether this is necessary in the specific circumstances and consider speaking to the people who would be affected by your use of CCTV and to provide advice on appropriate measures such as self-isolation.

Analysis of CCTV footage could reveal sensitive aspects of a person’s behaviours and relationships. Employees have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.

How do I ensure that staff are able to exercise their information rights as part of this process?

In order for people to be able to exercise their rights, they need to understand what personal data you hold and what you are using it for. As such, transparency is crucial and you should let your staff know how you will use their data in a way that is accessible and easy to understand.

You should ensure that staff are able to exercise their information rights. To make this easier, you may wish to put processes or systems in place that help your staff exercise their rights during the COVID-19 crisis.

How do I decide what type of tests and checks are necessary on customers and visitors?

As part of the measures you are taking in response to COVID-19, you will need to make a decision on what measures are necessary. Again, the onus is on you to be able to clearly explain and demonstrate that your approach is rational and fair. This could be done via a DPIA.

Where can I get further advice or support?

If you need any additional advice or support, please contact our specialist data protection partner Mark Gleeson.