After the UK government’s announced its phased lockdown-easing plan recently, many organisations are faced with the challenge of ensuring the safety of the workplace when workers gradually return to work. In addition to the prospective deployment of contract-tracing apps, which we discussed recently, another possible action to limit the potential spread of COVID-19 is through workplace testing or the collection of test results. On-site temperature testing for example has been widely adopted in some of the worst hit countries. The Information Commissioner’s Office ('ICO')’s timely Q&A on workplace testing sets out the key data protection issues organisations will need to address before they put such tests into practice.
Is collection of COVID-19 test data or temperature checks lawful?
Potentially. If a worker or visitor tests positive for COVID-19 (or is suspected), this counts as a form of health data. Organisations collecting such information must ensure that it could justify the data processing under one of the GDPR-prescribed lawful bases. It is also important that one of the conditions for processing sensitive personal data is met.
As long as organisations are not collecting or sharing irrelevant or unnecessary data, the ICO acknowledged that most of the data processing activities in the process of workplace testing for COVID-19 could be justified under GDPR. Organisations have a legitimate interest and legal obligation to ensure the health and safety of their workplace. The processing of relevant health data is also likely to be necessary for employers to perform their employer obligations. What is relevant and necessary data to collect however, may change as government guidance is modified.
What to watch out for when collecting COVID-19 test data
Collect and share only necessary data
Whilst several lawful bases may be available to allow organisations to perform tests or collect test results from staff or visitors, organisations must ensure that their collection of COVID-19 related data is relevant and proportionate. For example, whilst COVID-19 is often linked with underlying health conditions, organisations will not need the information relating to the underlying condition for the purpose of ensuring workplace safety. Unless the organisation has other lawful bases to collect such data, they should not ask staff and visitors for such information. Organisations may also need to take certain actions to inform the workforce once a confirmed or suspected COVID-19 case is reported. However, organisations should avoid sharing with the workforce any personal data not necessary for the purpose of ensuring safety. For example, in general individuals should not be named.
Consider less intrusive alternatives
The ICO also suggested that organisations should be cautious before deciding to carry out on-site temperature checks due to the intrusive nature of the measure. Companies planning to perform these checks should seek legal advice to assess whether the measure is justified in its specific case and whether the staff and visitors’ privacy can be respected. For example, one factor to consider is whether temperature checks could be performed in a semi-private area, out of sight and earshot of colleagues.
Keep records accurate and updated
To ensure that the testing data held by organisations is accurate, organisations should also record the date on which the data is collected and set up systems where individuals can update the test results confidentially and securely. Failure to acknowledge employees’ change of conditions over time could lead to unfair and harmful treatment of employees.
Demonstrating compliance
As usual, organisations should record the decision-making process to demonstrate compliance. One of the actions recommended by the ICO is for organisations to perform data protection impact assessments, which should be treated as a live document and reviewed regularly as circumstances change.
Informing the data subjects
Before carrying out any tests or collecting such information, organisations should at least inform staff of what information is required, the purposes for which it will be used, any third parties who will have access to the data, and the relevant retention period. If external visitors may be subject to the data collection however, easy-to-understand hardcopy privacy notices are recommended to keep visitors informed of their data protection rights.
Other employment issues
Employers have obligations in respect of the health and safety of employees, and will need to be mindful of relevant legislation. It will be important that they carry out appropriate risk assessments relating to the re-opening of the workplace after the lockdown period – specific advice on health and safety obligations should be sought if necessary.
Employers will need to decide whether they are requesting employees to provide relevant information and cooperate with on-site checks, or whether they are mandating it. Some employees may be unwilling to provide relevant information or cooperate with on-site checks. Whilst unreasonable refusal to cooperate with an employer’s reasonable and lawful management instruction may be grounds for certain formal actions (such as disciplinary sanctions), it is always recommended that employers engage with the individual first and ask for any underlying reasons or concerns before determining next steps.
Employers should be mindful of discrimination risks, and ensure employees are being treated consistently without assumptions made about who should provide information or have checks, and who shouldn’t. Employers should also be mindful of the implied duty of trust and confidence towards employees, and avoid acting in a way which undermines this.
If you have any data protection queries about this subject, please contact our Data Protection team. For any COVID-19 related employment queries, please contact our Employment team.