Covid-19 employee testing – is your business ready?

The Information Commissioner’s Office (ICO), which is the UK’s data protection regulator, has issued Guidance which employers need to follow if conducting Covid-19 testing in the workplace: https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/testing/.

With many workplaces now open again, and many others implementing plans and procedures for a phased return, it is important that employers understand how to conduct Covid-19 testing in a way which complies with Data Protection rules and principles.

Remember – by carrying out Covid-19 testing, you will be processing data about people’s health. That data will be classed as “special category data”, which attracts a higher degree of protection than regular personal data. This is due to its sensitive nature and the greater potential for harm if there is a data breach or misuse of the data.

Whilst The ICO has confirmed that data protection legislation will not be a barrier to conducting health checks where it is necessary to do so, it has reiterated that existing data protection principles will continue to apply.

What should you do now?

If you are considering Covid-19 testing, you should:

Conduct a data protection impact assessment to assess the risks involved with collecting and storing health data – doing so will help to fulfil the Data Protection “accountability principle”, and demonstrate that you are taking responsibility for compliance with Data Protection law.
Confirm specifically what purpose you are trying to achieve by conducting the health testing. For example, is the aim to limit the spread of Covid-19 in the workplace itself, to limit transmission to the wider public in public-facing roles, or specifically to protect more vulnerable groups of society? This will involve an assessment of what different job roles entail and who an employee will interact with in the ordinary course of business.
Confirm whether the testing is necessary to achieve the intended purpose. This will involve an assessment of factors such as whether employees can safely practice social distancing whilst performing their job role. Additionally, have you considered whether there are any alternative, less intrusive, measures that would achieve the same aim?

What alternative measures could employers take?

Health testing may be appropriate in certain circumstances, but in many cases it will be possible to implement alternative measures:

Adapt: Consider changes that could reasonably and lawfully be made to a person’s job role or day-to-day tasks, to enable them to practise social distancing.
Work smart: If it is possible for employees to work from home, consider continuing to do this or alternatively implementing an office rota to reduce the number of employees in the office at a given time.
Plan: Implement robust procedures which set out when employees should and should not come into work, depending on whether they have experienced symptoms, and who they have come into contact with. This will ensure that employees understand what is expected of them.

If you determine that health testing is appropriate, you should consider how you could limit the scope of the testing. For example, you could limit the types of health data that you collect, or you might decide only to test certain higher-risk roles, such as people who cannot socially distance, or people with public-facing roles.

What lawful basis should employers rely on if they have a good reason to conduct health testing?

The ICO have confirmed:

for private or public sector employers, their legitimate interests are likely to be the applicable lawful basis for conducting health testing; and
public authorities carrying out their public sector functions will likely be able to rely on the testing being necessary to perform a task in the public’s interest.

If you are seeking to rely on your legitimate interests, we recommend conducting an impact assessment. This will allow you to evaluate whether the testing is a necessary and proportionate means of achieving the aim, and therefore whether it is possible for you to rely on the “legitimate interests” lawful basis.

Article 9 Conditions

As health data is “special category data”, a data controller also needs to be able to identify an Article 9 condition for processing.

The ICO has indicated that the “employment condition” will be applicable.

Under the Data Protection Act 2018, this means that employers will also need to have an appropriate policy document in place to provide information, such as how it will act in compliance with the core data processing principles under the GDPR, and how long the health data will be retained for.

We can help you prepare your policy.

What else do you need to do?

Store it safely: keep the health data you collect secure, and restrict access to only personnel who need access to it.
Keep it accurate: ensure that all records are kept accurate and up-to-date and that robust retention policies are implemented.
Update privacy notices: provide tailored and specific privacy notices to employees, to ensure that they understand how their health data will be collected and processed.
Look out for guidance: consider industry and trade specific guidance which is being regularly updated, as this may impact whether or not it is advisable to implement a symptom check or testing regime.

What next?

If you need support in relation to any of these issues, require any assistance determining whether it is appropriate to conduct employee health testing or advice about the implications of doing so, please contact our Data Protection Team.