Wonderful service from start to finish.
What are the GDPR implications for testing staff for coronavirus?
- AuthorEmployment Team
As employers begin to open up the conversation with their employees about returning to the workplace, there are several ways that they can be providing a safe working environment for their employees; one of which being testing for coronavirus. There are considerations that need to be had however, in particular when it comes to the holding of data of those staff members who have been tested. The Information Commissioners Office (ICO) has published guidance for employers who test their workforce for Coronavirus (Workplace testing – guidance for employers) and here, our Employment Law team review the guidance and offer practical advice for employers on how to proceed on this next step.
The guidance states that employers need to comply with General Data Protection Regulation (GDPR) and the Data Protection Act 2018, which requires them to handle data “lawfully, respectfully and transparently”.
As an employer, you should ensure that you do not collect unnecessary or excessive information. For example, you will probably only require information about the test result, rather than details of any underlying conditions of their workforce. You should also consider the testing options available, to ensure that you are only collecting results that are necessary and proportionate.
This means that you can keep lists of employees who have had symptoms or tested as positive, but you need to ensure that processing this data is “necessary and relevant for the stated purpose”. These lists must not result in unfair or harmful treatment of employees. If you test or temperature check employees, workers or visitors you should ensure that it is applied consistently to all. Only testing certain groups who are perceived to be at a higher risk of having the virus could potentially lead to discrimination claims. The ICO also advises that an individual’s health status will change over time and information could become inaccurate.
The individuals should not be named if the information is shared with the workforce and you should not provide any more information that is necessary.
What is a Data Protection Impact Assessment (DPIA)?
Testing data is special category data under the GDPR; one of the permitted grounds for processing special category data is for health purposes. However, you should carry out a data protection impact assessment (DPIA) before you collect this data and keep detailed records of how data is categorised and documented. The DPIA will be scrutinised if compliance is not as strong as it should be or if the ICO would simply like to see it. The DPIA will be crucial to demonstrating compliance and accountability.
The DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the activity is necessary and proportionate;
- how risk will be mitigated; and
- whether risk mitigation has been effective.
You can show that your processing of test data is compliant by using the ICO’s accountability principle, a checklist that enables them to see if you are compliant with GDPR and data protection legislation.
Before carrying out any staff testing, you should inform staff about:
- what personal data is required
- what it will be used for
- who it will be shared with
- how long it will be kept for
- what decisions will be made based on the test results
Staff may arrange tests for themselves and you should have “due regard to the security of that data” if workers have disclosed the results to you.
If you are considering additional measures such as temperature checks or thermal cameras on site, you must give “specific thought to the purpose and context of its use”, and will need to be able to make the case for carrying out such testing or monitoring and for collecting such data. You should consider whether you can achieve the same results through other, less privacy intrusive means. If so, then the monitoring may not be considered appropriate.
It is crucial that you are transparent regarding any data related to testing. To improve transparency you could consider setting up secure portals or self-service systems so staff can manage and update their personal data where appropriate.
The ICO has stated that it will continue to take a “strong regulatory approach” against any organisations breaching data protection laws to take advantage of the crisis, but acknowledges that employers’ stretched resources at the moment could impact their levels of compliance. For example, some organisations may see a rise in Subject Access Requests from employees keen to know how their data has been used, but struggle to respond due to immediate priorities or a shortage of staff. The ICO says it will take this into account before taking formal enforcement action.
If you are considering testing or temperature checking your staff but you have questions about how to do this within the ICO compliance, then you can contact us today on 023 8071 7717 or email firstname.lastname@example.org to discuss this further with us.
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice. All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.