The implications of data protection when carrying out workplace testing for COVID-19
Posted 12/06/2020 : By: Kathryn Pratt
Throughout the coronavirus pandemic, businesses have faced various challenges, and some will have needed to share information quickly or adapt their way of working. Regardless, the data protection law must be applied in the same way it was pre-covid19.
Many businesses are now starting to prepare for reopening and welcoming employees back to the workplace. Employers have a duty of care to ensure that employees are working within a safe environment and so naturally, may want to carry out tests to check whether staff have symptoms of COVID-19 or the virus itself.
Where you are processing employees testing information, you need to comply with the GDPR and Data Protection Act 2018. Personal data that regards health is more sensitive and is classed as ‘special category data’ so even more care must be taken to protect its security.
Which lawful basis can be used for testing employees?
As long as employers are not collecting or sharing irrelevant or unnecessary data, they should be able to process health data about COVID-19 in compliance with data protection laws. Businesses have a legitimate interest and legal obligation to ensure the health and safety of their workplace.
The processing of relevant health data is also likely to be necessary for employers to perform their employer obligations. What is relevant and necessary data to collect however, may vary as government guidance changes over time.
What employers should be doing if carrying out testing
- Data Protection Impact Assessment
- Don’t collect irrelevant or unnecessary data
- Ensure data processing is secure
- Inform staff
- Keep staff and third parties informed about potential and confirmed COVID-19 cases
- Ensure employees are aware of their information rights
- Ensure any monitoring of employees is necessary and appropriate
If your business is going to carry out testing and process health information, then you should undertake a data protection impact assessment (DPIA).
This DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
Only collect and retain the minimum amount of data needed. Employers will probably only require information about the result of a test, rather than additional details about underlying conditions.
Employers are also required to keep any personal data accurate so it is important to record the date of any test results because the health status of individuals may change over time and the test result may no longer be valid.
Employers should also ensure that the data processing is secure and consider any duty of confidentiality owed to employees. You can keep lists of employees who have been tested as positive, as long as the information is processed securely and does not result in any unfair treatment of employees.
Before carrying out any tests or collecting such information, employers should at least inform staff of what personal data is required, the purposes for which it will be used, any third parties who will have access to the data, and how long the data is to be retained.
Keep staff informed of COVID-19 cases amongst co-workers but avoid naming individuals if possible and do not provide more information than is necessary. Where needed, share data with authorities and take into account the risks to the wider public which may be caused by failing to share information and take a proportionate and sensible approach.
Reporting requirements relating to cases of or deaths from COVID-19 under RIDDOR apply only to occupational exposure, that is, as a result of a person’s work. For more information on what to report and when, please click the following link: https://www.hse.gov.uk/news/riddor-reporting-coronavirus.htm#what
Employers should be transparent about what personal data is held and how it will be used. Employees must be able to exercise their information rights during this process and so employers should make sure that basic policies and procedures are in place to allow staff data to be readily available when needed.
Employers may consider using temperature checks or thermal cameras on site as part of monitoring staff to capture health information. Special consideration needs to be given if these methods of monitoring are used due to the intrusive nature. As such, employers need to give specific thought to the purpose and context of its use and be able to demonstrate a clear case for using it. Again, transparency is key, employers should ensure that employees are aware of any monitoring.
The Surveillance Camera Commissioner (SCC) and the Information Commissioner’s Office (ICO) have updated the SCC DPIA template (link below), which is specific to surveillance systems. Employers may use this to help their decision before considering the use of thermal or other surveillance.
How can we help you?
If you have an enquiry or you would like to find out more about our services, why not contact us?Call Us On 0333 222 0989