Privacy concerns about both the NHS’ test and trace programme have hit the headlines in recent weeks with privacy campaigners reportedly preparing a legal challenge against the Government. Not only are there concerns about how much personal data will be collected, but equally about what the Government will actually do with that data and how long it will be kept for. Campaigners have also flagged that the Government has failed to carry out a data protection impact assessment, which is a legal requirement in certain circumstances.
With privacy issues around coronavirus testing in the news, now is an appropriate time to consider what obligations employers are under if they want to carry out workplace testing during the pandemic. We take a look at the key considerations below:
Workplace testing is a privacy issue… and so data protection laws apply! This means that before you even begin, you need to consider whether it’s lawful for you to carry out workplace testing. If you don’t, you could face significant fines.
Health information is sensitive personal data… and when you process sensitive personal data you’re under heightened data protection obligations!
This doesn’t mean you can’t carry out coronavirus testing… but you must make sure it’s done lawfully! The ICO has published guidance confirming that data protection law isn’t intended to stand in the way of businesses that want to take ‘the necessary steps to keep […] staff and the public safe and supported’ during the pandemic, but that those businesses are required to act responsibly when doing so.
Ensuring workplace testing is lawful
To assess whether carrying out workplace testing for COVID-19 or coronavirus symptoms is lawful, you should take the following steps:
1. Identify a lawful basis
There are six lawful bases for processing personal data; see our Q&A for a full rundown of what these are. The ICO has advised that ‘legitimate interests’ is likely to be an appropriate lawful basis for employers, but you must decide this based on your own assessment. Because health data is sensitive personal data, you will also need to meet an additional condition for processing. The ICO has advised that employers will be able to rely on complying with their employer health and safety obligations to meet this requirement, provided that they do not collect any more data than is absolutely necessary.
2. Consider alternatives
You should only carry out workplace tetsing if it is necessary, fair and proportionate for you to do so. The ICO has identified different factors for businesses to consider when deciding whether their testing is necessary. These include: the type of work your staff carry out, what type of business premises they work at, whether or not they can work for home and any specific health and safety requirements your business is under.
As part of this analysis, you should demonstrate that you have considered any less intrusive alternatives to carrying out workplace testing. Carrying out a DPIA may help you to demonstrate that you have done so (see below). Bear in mind that if you’re thinking about using technologies such as temperature checks or thermal cameras, these are particularly intrusive and you must give particular thought to what alternatives may be available.
3. Carry out a Data Protection Impact Assessment (DPIA)
It is vital that you carry out a DPIA before you carry out workplace health testing; this will help you to demonstrate that you have considered whether your testing is lawful and that you have complied with all of your legal obligations. For instance, your DPIA can help you to assess whether you could restrict testing to staff members who are most at riskk, or whether other measures such as social distancing would suffice. You must make sure that this is regularly reviewed and updated as the pandemic evolves to ensure that your testing remains proportionate and lawful. For a template DPIA policy you can use to set out when your business will conduct DPIAs, including a schedule on which you can record the outcome of your DPIA, see Data Protection impact assessment policy.
4. Collect only necessary information and ensure that it remains accurate
Think very carefully about what tests you should carry out to ensure that you are only collecting the minimum amount of information necessary and that the testing is proportionate. For example, the ICO advises that you will likely only need to be provided with the results of a test rather than any additional information, such as underlying health conditions. The ICO also advises recording the date of any tests that you carry out, given that an individual’s health is likely to change over time.
5. Be transparent
It is a key part of data protection law that you are transparent with individuals whose data you are collecting about what personal data you are processing and what you are doing with it. You may wish to create a bespoke privacy notice for this purpose. Remember that individuals whose data your business is processing have certain rights in relation to that data, and you must ensure that they are able to exercise them. See our Q&A on data subject requests for a rundown of how to do this.
6. Keep the personal data secure
You must keep personal data securely at all times, including any health data that your staff member provides to you directly (eg if they have independently taken a COVID-19 test and disclose the result to you). For guidance about how to store data securely, see our Q&A on secure data storage.
Sharing the results of workplace testing
Remember that health information is sensitive personal data and you will typically need the explicit consent of your staff member if you want to share the results of their test with the rest of your workforce, or anyone else for that matter.
That being said, the ICO recommends keeping staff informed about positive coronavirus cases in your workplace and you must balance data protection rights with your health and safety duties towards your staff. You owe a duty of care to your staff, so you ought to tell anybody who has come into contact with an infected person that they have done so, so that the necessary precautions can be taken; but you should provide the minimum information necessary and avoid disclosingf the name of the person in most cases.Remember that you may also be under legal obligations to share the test results with public authorities. See our Q&A on Sharing personal data for more information about your legal duties.