As the UK begins to ease lockdown measures, employers in all sectors are considering how their employees can return to work in the safest possible way. For many, this will include testing to check whether employees have (or have already had) COVID-19. Any employer wishing to carry out such testing will need to ensure that they are doing so in a way that is compliant with data protection legislation.

The UK's Information Commissioner's Office has now published guidance for employers on how they can perform workplace testing for COVID-19 in compliance with data protection law. This post provides an overview of that guidance.

Can workplace testing be done lawfully?

Yes. However, as personal data relating to health is classified as "special category personal data," employers will need to satisfy two tests in order to be able to lawfully process employees' COVID-19 test data:

  • They must have a lawful basis for the processing under Article 6 of the GDPR
  • The processing must also satisfy one of the further conditions for lawfulness under Article 9

In addition, due to the sensitive nature of the data at hand, employers must be particularly careful to follow the core principles of the GDPR in relation to COVID-19 testing, notably principles relating to data minimization, purpose limitation, transparency, confidentiality and accuracy.

Before we start - a note on selecting third-party testing providers

Not all COVID-19 testing providers will perform their testing operations in the same fashion. However, it is the responsibility of an employer to consider the options available to it and to engage only a provider that enables it to meet the standards outlined below.

(This note is in addition to general rules relating to appointing third-party providers - e.g., ensuring that the testing provider's processing is subject to a GDPR-compliant "data processing addendum" or similar and that the employer has performed suitable diligence of the testing provider's GDPR compliance.)

Steps to GDPR-compliant COVID-19 testing

1. Establish an appropriate lawful basis and Article 9 condition

The ICO's guidance confirms that for private employers (as opposed to public bodies):

  • The most relevant lawful basis is likely to be "legitimate interest" under Article 6(1)(f) of the GDPR
  • The relevant Article 9 condition will be the "employment condition" under Article 9(2)(b) of the GDPR (as supplemented by the "employment, social security and social protection" condition in paragraph 1 of Schedule 1 to the UK Data Protection Act 2018 - or equivalent provision in local member state law)

This lawful basis and this Article 9 condition are likely to apply to the processing of employees' COVID-19 test data provided that the employer is only carrying out that processing in order to fulfil its health and safety obligations to its employees.

Employers who are subject to the UK Data Protection Act 2018 and who are seeking to rely on the employment condition should note that paragraph 1(1)(b) of Schedule 1 to the UK Data Protection Act 2018 requires that they must have in place an "appropriate policy document" which explains:

  • Their procedures for securing compliance with the core principles in Article 5 of the GDPR in processing personal data in reliance on the employment condition
  • Their policies as regards the retention and erasure of personal data processed in reliance on the employment condition, along with an indication of how long the data is to be retained

Such employers should ensure they have an appropriate policy document in place before beginning to process employees' COVID-19 test data.

2. Perform a data protection impact assessment

Due to the nature of the data and processing concerned, any employer seeking to test its employees should first conduct a data processing impact assessment focusing on the risks specific to COVID-19 testing.

This DPIA should set out:

  • The activity being proposed
  • The data protection risks
  • Whether the proposed activity is necessary and proportionate
  • The mitigating actions that can be put in place to counter the risks
  • A plan or confirmation that mitigation has been effective

The ICO has a template DPIA which can be used for this purpose. The initial DPIA should be reviewed regularly and updated as necessary as new risks and benefits emerge.

3. Collect the minimum amount of information necessary

Employers must collect only as much data as is necessary to fulfil their purpose of carrying out the testing and should ensure that all data collected has a rational link to that purpose.

For example, employers will need to collect information about the results of tests, but probably won't need any additional details about the employee's health or underlying conditions.

While not reaching a definitive conclusion - the ICO appears skeptical as to whether ongoing monitoring of potential COVID-19 symptoms by an employer (e.g., temperature checks and/or thermal cameras on site) can be GDPR-compliant where the purpose of the processing is to fulfil its health and safety obligations to its employees. The ICO guidance encourages employers to "think about whether you can achieve the same results through other, less privacy intrusive, means. If so, then the monitoring may not be considered proportionate."

4. Communicate measures to employees

Employers should be clear with their employees about what information is being collected, why it is being collected and what decisions will be made with that information.

Before commencing testing, employees should be told the following, at a minimum:

  • What personal data is required
  • For what it will be used
  • With whom it will be shared
  • For how long the employer intends to keep the data

Best practice would be for this information to be relayed in a specific COVID-19 testing privacy notice.

It is also important that employees are able to exercise their data subject rights, including being afforded an opportunity to discuss the collection of their data and express any concerns with a suitable member of staff.

5. Maintain confidentiality

The ICO guidance does not prohibit keeping lists of employees who have symptoms or who have tested positive. However, in addition to ensuring that any such data retention is necessary for their stated purposes, employers must ensure that the data processing is secure and consider any duty of confidentiality owed to their employees.

While it might be necessary to inform other employees and/or public authorities that someone has tested positive, employers should avoid naming specific employees if possible.

6. Ensure accuracy

Any personal data held about employees must be accurate. In the context of workplace testing, this means that employers should record the date of any test results because the COVID-19 status of employees can change over time.

The ICO guidance emphasizes that the recording of inaccurate testing information or the failure to acknowledge that an individual's health status has changed could result in unfair or harmful treatment of employees.

This post serves as an overview of the guidance only. For any specific queries on how you can ensure compliance in your workplace safety measures, please contact a member of the Cooley c/d/p team.

Originally published 19 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.