Data protection issues and returning to work: testing employees for COVID-19 and other issues.
Returning to work in the workplace after lockdown for many employees is either already a reality, or likely soon to become one. Government guidance in respect to the requirements about how this is to be managed is often tricky to navigate, as I think we will all agree, but the focus now seems to be on ‘test, track and trace’. This has implications for employers as they start to consider how to reorganise their workplace to ensure that risks for employees are minimised. As part of these measures, employers may wish to test employees for COVID-19 or to ask them for their test results. The Information Commissioner’s Office (ICO) has issued guidance for employers, confirming that workplace testing may be possible, but emphasising that employers need to consider data protection compliance carefully.
Why is data protection compliance relevant?
Employers must consider data protection law because they will be processing information that relates to an identified or identifiable individual and so must comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Data protection law does not prevent organisations from taking the necessary steps to keep staff and the public safe and supported during the present public health emergency, but it sets out parameters. As is often the case with rights-based legislation, there is a balance to be achieved and in the context of a global pandemic, public health is clearly a priority!
What is the lawful basis for testing employees?
Public authorities carrying out their function, including schools, academies and further and higher education institutions, are likely to be able to use the public task basis in the GDPR. The ‘public task’ basis covers processing what is necessary for an organisation to perform the task they carry out in the public interest or for its official functions, and the task or function has a clear basis in law.
For organisations outside the public sector, ‘legitimate interests’ is likely to be the appropriate lawful basis of use. This covers processing is necessary for an organisation’s legitimate interests unless there is a good reason to protect an individual’s personal data which overrides those legitimate interests. Again, the law requires an appropriate balance to be found between an employer’s interests and an individual’s rights.
Due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law. This means that it requires greater protection as a result of its sensitivity. For special category data the GDPR requires organisations to jump through an additional hoop. There is a list of additional conditions that have to be considered to ensure that this type of sensitive information is appropriately processed. In the context of testing employees for COVID-19, the employment condition will be the relevant condition. This condition allows employers to process health data to the extent necessary to comply with their health and safety obligations. The employment condition will cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data.
The accountability principle requires employers to take responsibility for what they do with personal data and how they comply with the other principles. It is an important part of the GDPR and underpins the Information Commissioner’s intention to ‘raise the bar’ in the context of data protection. The key focus of the accountability principle is that individuals should be aware of, and able to exercise their rights in relation to, processing of their personal data by organisations – including their employers. Employers must therefore have appropriate policies, measures and records in place to be able to demonstrate compliance – for example by publishing an employee, worker and contractor privacy notice to explain to employees how their data is processed.
In the context of testing employees for COVID-19, it is important for employers to demonstrate that their processing of test data is compliant. This means, for example, letting employees know what is planned and why, putting in place additional recording keeping requirements, clearly indicating how long test data will be retained and who it will be shared with.
Data protection impact assessments
A data protection impact assessment (DPIA), essentially a version of a risk assessment, is part of an employer’s accountability obligations. A DPIA considers the activity being proposed, the data protection risks, whether the proposed activity is necessary and proportionate, the mitigating actions that can be put in place to counter the risks and a plan or confirmation that mitigation has been effective.
DPIAs are designed to be flexible, as appropriate to the context and they should be regularly reviewed and updated. This is especially important in a fast-moving crisis situation, as new risks and benefits emerge. There is no set form or process for a DPIA – in the context of COVID-19 it will need to be tailored to the particular context of each organization proposing to include testing as part of their strategy to keep employees as safe as possible.
Proportionality – balancing rights and obligations
For special category data, such as health data, it is particularly important only to collect and retain the minimum amount of information needed for the employer’s particular needs. Therefore, employers should ensure that data is adequate – enough to properly fulfil the stated purpose, relevant – has a rational link to that purpose and is limited to what is necessary. Employers should not collect or hold more than is necessary for the particular business need.
In the context of test results, employers should ensure that they do not collect unnecessary or excessive information from people. For example, they should just collect the result of a test rather than additional details about any underlying conditions. Employers should be able to demonstrate the reason for testing individuals or for obtaining the results from tests.
Personal data held must be accurate. As such, employers should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid.
Information about employees with symptoms or a positive test result
The ICO says that employers can keep lists of employees who either have symptoms or have tested positive for the virus. However, they must ensure that the use of the data is actually necessary and relevant for the stated purpose – which will generally be compliance with health and safety obligations, particularly that appropriate steps have been taken to ensure the workplace is safe for all employees. Employers must ensure that the data processing is secure, and consider any duty of confidentiality owed to employees. They must also ensure that the information about an employee’s COVID-19 status does not result in any unfair or harmful treatment of that employee. This might include inaccurate information being recorded or a failure to acknowledge an individual’s health status changing over time. In addition, it would not be fair to use, share or retain information collected about the number of staff who have reported symptoms of COVID-19 for purposes they would not reasonably expect. We are aware, for example, that many Universities are carrying out research into various aspects of COVID-19: it is unlikely to be appropriate for an employer to share employee test results with third parties for purposes other than ensuring its obligations to employees are fulfilled unless the information is anonymized so that individual employees are not identifiable.
Employers should be clear, open and honest with employees from the start about how and why they wish to use employees’ personal data. This is crucial when processing health information. If testing employees for COVID-19 or checking for symptoms, employers must be clear about the decisions they will make with that information. Ideally employers should have clear and accessible privacy information in place for employees before any health data processing begins. The ICO has acknowledged that this may not always be possible in the current circumstances but we would recommend, as a minimum, that employers should at least let staff know what personal data is required, what it will be used for, with whom it will be shared and for how long it will be kept.
The ICO’s COVID-19 guidance highlights that employers should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues but recommends that they should avoid naming individuals if possible and should not provide more information than is necessary.
Duty of care
Employers have a duty to ensure the health and safety of all their employees. Data protection does not prevent this and should not be viewed as a barrier to sharing data with authorities for public health purposes, or with the police where necessary and proportionate. Employers also need to consider any risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach.
Staff information rights
So that individuals can exercise their information rights, employers need to understand what personal data is held and the uses to which it will be put. Employers should ensure that processes are in place to allow staff to exercise their rights. As mentioned above, a data protection impact assessment will help to underpin this understanding and inform the processes that will work for that organisation. Transparency is crucial and information must be accessible and easy to understand.
Asking staff to disclose results of their own tests
If staff voluntarily disclose test results to an employer, the employer must have due regard to the security of that data, and consider any duty of confidentiality owed to those individuals who have provided test results. Employers should make sure that their use of the data is necessary and relevant and that they do not collect or share irrelevant or excessive data.
Temperature checks or thermal cameras on site
When considering the use of more intrusive technologies, especially for capturing health information, employers need to give specific thought to the purpose and context of its use and be able to make the case for using it. Any monitoring of employees needs to be necessary and proportionate, and in keeping with their reasonable expectations. Again, transparency is key. Employers should also think about whether the same results can be achieved by other less intrusive measures. If so, it is likely that only the least intrusive solution will be considered proportionate.
The Surveillance Camera Commissioner (SCC) and the ICO have worked together to update the SCC DPIA template, which is specific to surveillance systems. This will assist organisations considering the use of thermal cameras or other surveillance. The guidance is available here.
Questions or concerns?
If you would like to discuss any questions or concerns specific to your organisation please contact Dr. Caroline Redhead or Burnetts Employment and HR team on 01228 552222. Please note that both telephone and video appointments can be arranged during this period of self-isolation.