It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms (available here).
Health data is ‘special category data’ under the General Data Protection Regulation (GDPR) and is therefore subject to greater restrictions. Nonetheless, the ICO makes it clear that data protection law does not prevent employers from taking necessary steps to ensure the safety of staff and the public, provided that personal data is handled responsibly and carefully in accordance with the law.
The guidance covers the following specific activities:
- Testing employees for symptoms of COVID-19
- Compiling lists of employees with symptoms or positive diagnoses
- Disclosing positive cases to other employees
- Using temperature checks or thermal cameras in the workplace
The guidance also offers general advice, which is summarised below.
Lawful basis for collection
The ICO advises that health data can be collected, provided that there is a good reason for doing so and the collection is proportionate. The guidance suggests that for public authorities carrying out their function, ‘public task’ is likely to be the applicable legal basis for processing personal data under article 6 of the GDPR, and for other public or private employers, ‘legitimate interests’ is likely to be appropriate – but employers should carry out a legitimate interests assessment beforehand. Further, the relevant condition of the GDPR for the collection of health data is the employment and social protection condition in article 9(2)(b), along with schedule 1, condition 1 of the Data Protection Act 2018.
Data collection and handling
As with other types of personal data, the data collected should be adequate, relevant, and limited to what is necessary. For example, when testing employees, it is likely that an employer will only require details about the result of the test, rather than additional details about underlying conditions. Employers should also ensure that such data is accurate and up to date, and so it would be necessary to record the date of testing.
To demonstrate compliance with the GDPR, if an organisation plans to undertake testing and process health information, it should conduct a data protection impact assessment (DPIA) beforehand to assess and mitigate the risks. The guidance sets out the specific topics which should be covered in the DPIA, and provides a template DPIA.
Transparency and employees’ rights
The guidance highlights that transparency is important when explaining the nature and purpose of the data processing, particularly when processing health data. Employers should also be clear about what information will be required, what it will be used for, who it will be shared with, how long it will be kept, and what decisions will be made with the information.
It is also important to ensure that staff are able to exercise their information rights, such as the right to access, rectify or erase information held about them. The guidance offers the example of using a secure portal or self-service system to manage such information.
Employees may be kept informed about potential or confirmed COVID-19 cases amongst colleagues; however, the information to be disclosed should be proportionate. Employers should therefore avoid naming individuals if possible and should not provide more information than is necessary.
This short piece of advice gives useful, practical guidance for employers contemplating using testing or tracking in order to manage the safety of employees during this crisis. This advice is supplemented by the ICO’s guidance on its regulatory approach during the crisis (available here), and provides some clarity during a time of great uncertainty.