When they return to work, I want to carry out tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?
Yes. You will be processing information that relates to an identified or identifiable individual, so, you need to comply with the GDPR and the Data Protection Act 2018. That means handling it lawfully, fairly and transparently.
Personal data that relates to health is more sensitive and is classed as ‘special category data’ so it must be even more carefully protected.
Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care.
The ICO has published a document setting out our regulatory approach during the coronavirus pandemic.
Which lawful basis can I use for testing employees?
As long as there is a good reason for doing so, you should be able to process health data about COVID-19. For public authorities carrying out their function, public task is likely to be applicable. For other public or private employers, legitimate interests is likely to be appropriate, but you should make your own assessment for your organisation.
The relevant condition will be the employment condition in Article 9(2)(b), along with Schedule 1 condition 1 of the DPA 2018. This applies due to their employer health and safety obligations. This condition will cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data.
How can I show that our approach to testing is compliant with data protection law?
To show that your processing of test data is compliant, you will need to use the accountability principle. It makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance such as additional recording keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA).
If your organisation is going to undertake testing and process health information, then you should conduct a DPIA focussing on the new areas of risk.
This DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
DPIAs are designed to be flexible, as appropriate to the context. We have a template organisations can use to help them focus on the minimum requirements. One important point is that the initial DPIA should be regularly reviewed and updated. This is especially important in a fast-moving crisis situation, as new risks and benefits emerge.
How do I ensure that I don’t collect too much data?
For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.
In order to not collect too much data, you must ensure that it is:
adequate – enough to properly fulfil your stated purpose;
relevant – has a rational link to that purpose; and
limited to what is necessary – you do not hold more than you need for that purpose.
In the context of test results, you need to ensure you do not collect unnecessary or excessive information from people. For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions. Consider which testing options are available, to ensure that you are only collecting results that are necessary and proportionate. As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.
Data protection law also requires that any personal data you hold is accurate. As such, you should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid.
Can I keep lists of employees who either have symptoms or have been tested as positive?
Yes. If you need to collect specific health data about employees, you need to ensure the use of the data is actually necessary and relevant for your stated purpose. You should also ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.
As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees. For example, this could be due to inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time. It would also not be fair to use, or retain, information you have collected about the number of staff who have reported symptoms of COVID-19 for purposes they would not reasonably expect.
What do I need to tell my staff?
Transparency is very important. As an employer, you should be clear, open and honest with employees from the start about how and why you wish to use their personal data. This is crucial when processing health information. If you are testing employees for COVID-19 or checking for symptoms, you should be clear about what decisions you will make with that information.
Where possible, you should have clear and accessible privacy information in place for employees, before any health data processing begins. We recognise, however, that in this exceptional time it may not be possible to provide detailed information.
Before carrying out any tests, you should at least let your staff know what personal data is required, what it will be used for, and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees with the opportunity to discuss the collection of such data if they have any concerns.
Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?
You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals if possible, and you should not provide more information than is necessary.
As an employer, it’s your duty to ensure the health and safety of all your employees. Data protection doesn’t prevent you doing this, and should not be viewed as a barrier to sharing data with authorities for public health purposes, or the police where necessary and proportionate. There are many routes available to share data, using some of the conditions and exemptions in the DPA 2018. You also need to take into account the risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach.
How do I ensure that staff are able to exercise their information rights as part of this process?
In order for individuals to exercise their rights, they need to understand what personal data you hold, and what you are using it for. As such, transparency is crucial and you should let your staff know how you will use their data in a way that is accessible and easy to understand.
You should also ensure that staff are able to exercise their information rights. To make this easier you may wish to put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis.
For example, in relation to the right of access (also known as Subject Access), you might consider setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate. This may also allow individuals to exercise other rights such as the right to rectification or erasure of their data. Where this is not possible, you should make sure that basic policies and procedures are in place to allow employee data to be readily available when needed.
Some staff already have the results of tests that they have arranged for themselves. If they disclose these results to me, what are the data protection considerations?
For any test results that are voluntarily disclosed to you, as an employer you should have due regard to the security of that data, and consider any duty of confidentiality owed to those individuals who have provided test results.
Your focus should be on making sure your use of the data is necessary and relevant, and you do not collect or share irrelevant or excessive data to authorities if this is not required.
Would it be appropriate to use temperature checks or thermal cameras on site, as part of testing or ongoing monitoring of staff?
When considering the use of more intrusive technologies, especially for capturing health information, you need to give specific thought to the purpose and context of its use and be able to make the case for using it. Any monitoring of employees needs to be necessary and proportionate, and in keeping with their reasonable expectations. Again, transparency is key.
You should also think about whether you can achieve the same results through other, less privacy intrusive, means. If so, then the monitoring may not be considered proportionate.
The Surveillance Camera Commissioner (SCC) and the Information Commissioner’s Office (ICO) have worked together to update the SCC DPIA template, which is specific to surveillance systems. This will assist your thinking before considering the use of thermal cameras or other surveillance.
Thank you for reading.