18 May, 2020
The ICO has published 'Workplace Testing - Guidance for Employers' in order to assist employers considering introducing workplace testing in a bid to make workplaces safe in light of the coronavirus pandemic.
The starting point is that as long as there is a good reason for doing so, employers should be able to carry out health testing on staff as data protection law is not a barrier from taking necessary steps to keep staff and the public safe during the pandemic. However, the principles of data protection law (including transparency, fairness, security and proportionality) must still be complied with.
In order to be lawful under data protection law, employers need a lawful basis under the General Data Protection Regulation (GDPR) in order to carry out workplace testing. Workplace temperature testing will amount to special category data under the GDPR. Therefore, employers can only use this information if they are able to satisfy a lawful basis from both Article 6 and Article 9 of the GDPR.
The most appropriate lawful bases under Article 6 of the GDPR are likely to be the 'public interest' basis for public sector employers and the 'legitimate interests' basis for private sector employers. In addition, there is provision in Article 9 of the GDPR which permits the use of special category data where it is necessary to carry out obligations and exercise specific rights of the employer or staff in the field of employment, along with Part 1 of Schedule 1 to the Data Protection Act 2018 which relates to employer health and safety obligations.
It is important to note that consent is not an appropriate lawful basis in the context of an employment relationship. The standard of consent required by the GDPR is that it must be 'freely given' which is difficult to demonstrate in an employment context. In addition, consent must be able to be withheld and withdrawn and therefore it is an unreliable justification of your use of staff information.
In order to demonstrate compliance with the GDPR, the ICO guidance confirms that employers should conduct a Data Protection Impact Assessment (DPIA) prior to introducing workplace testing. The DPIA should set out how the employer will comply with data protection law. A typical DPIA for workplace testing would cover the following points:
Once the initial DPIA has been conducted, a review of the DPIA should conducted on a regular basis to consider whether the testing is still necessary and proportionate.
In order to comply with data protection law when carrying out workplace testing, employers must only collect and keep the minimum amount of information which is required. Employers will need to make sure it does not collect unnecessary or excessive information from staff. Employers should consider which testing options are available, to ensure that it is only collecting results that are necessary and proportionate. An employer should be able to demonstrate the reason for testing individuals or obtaining the results from tests.
In addition, personal data must be accurate and kept up to date. Therefore, employers should record the date of any test results, because the health status of staff may change over time and the test result may no longer be valid.
Employers must be transparent about the use of workplace testing and how the test results will be used. Before carrying out any staff testing, employers should inform staff about:
This information should ideally be provided to staff by way of a privacy notice which complies with the requirements of the GDPR. This could be done by either developing a standalone privacy notice which relates solely to workplace testing or by updating your existing staff privacy notice to ensure workplace testing is covered.
Employers are not prevented from informing staff if a colleague has contracted coronavirus by data protection law. However, the member of staff should not be named if possible and it may be sufficient to inform staff which office or location the member of staff was based.
If an employer is required to disclose details of positive test results outside of the organisation (e.g. to a regulator or government body), it should firstly consider whether or not details of the test results can be anonymised. If it is possible to anonymise the results, they are likely to fall outside the remit of data protection law. However, if it necessary to share details of staff, employer's will again need to consider what lawful justification the disclosure can be made under the GDPR. This will largely depend on the particular circumstances, however, applicable lawful bases may include compliance with a legal obligation or necessary on the grounds of public health.
The coronavirus pandemic will undoubtedly see innovative uses of technology and testing in order to contain the spread of the virus. During this public health emergency, the deployment of workplace testing systems to track and trace the virus is likely to be legitimate and justifiable on the grounds of public health. The Information Commissioner's Office has confirmed that data protection is not a barrier to protecting health and safety during a public health emergency as long as the principles of data protection law are complied with. However, regular review of such testing will be crucial as what is legitimate and justifiable during a public health emergency may not be appropriate once the crisis has ended.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.