The Information Commissioner’s Office (ICO), which is the UK’s data protection regulator, has issued Guidance which employers need to follow if conducting Covid-19 testing in the workplace: https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/testing/.
With many workplaces now open again, and many others implementing plans and procedures for a phased return, it is important that employers understand how to conduct Covid-19 testing in a way which complies with Data Protection rules and principles.
Remember – by carrying out Covid-19 testing, you will be processing data about people’s health. That data will be classed as “special category data”, which attracts a higher degree of protection than regular personal data. This is due to its sensitive nature and the greater potential for harm if there is a data breach or misuse of the data.
Whilst The ICO has confirmed that data protection legislation will not be a barrier to conducting health checks where it is necessary to do so, it has reiterated that existing data protection principles will continue to apply. |
If you are considering Covid-19 testing, you should:
Health testing may be appropriate in certain circumstances, but in many cases it will be possible to implement alternative measures:
If you determine that health testing is appropriate, you should consider how you could limit the scope of the testing. For example, you could limit the types of health data that you collect, or you might decide only to test certain higher-risk roles, such as people who cannot socially distance, or people with public-facing roles.
The ICO have confirmed:
If you are seeking to rely on your legitimate interests, we recommend conducting an impact assessment. This will allow you to evaluate whether the testing is a necessary and proportionate means of achieving the aim, and therefore whether it is possible for you to rely on the “legitimate interests” lawful basis.
As health data is “special category data”, a data controller also needs to be able to identify an Article 9 condition for processing.
The ICO has indicated that the “employment condition” will be applicable.
Under the Data Protection Act 2018, this means that employers will also need to have an appropriate policy document in place to provide information, such as how it will act in compliance with the core data processing principles under the GDPR, and how long the health data will be retained for.
We can help you prepare your policy.
If you need support in relation to any of these issues, require any assistance determining whether it is appropriate to conduct employee health testing or advice about the implications of doing so, please contact our Data Protection Team.
Action Summary:· Read the (ICO) Guidance; · Conduct a data protection impact assessment; · Consider specifically what purpose you are trying to achieve by conducting the health testing; · Consider whether the testing is necessary to achieve the intended purpose; · Consider what alternative measures you could take; · Consider how to limit the scope of the testing; · Identify the lawful basis for conducting health testing; · Write and publish a policy document to make sure that you comply with the Article 9 Conditions; · Store data safely; · Keep the data accurate; · Update Privacy Notices; · Look out for further guidance; and · Contact our Data Protection Team for detailed advice or further support. |