COVID-19 Coronavirus Business Impact: ICO Issues Guidance on Workplace Testing
The Information Commissioner’s Office (ICO) recently issued guidance for employers on the issues they need to bear in mind when considering the introduction of testing as part of their arrangements for returning staff to the workplace from remote working or furlough.
Many employers are working up their detailed plans for the return of staff to the workforce. In determining the arrangements they need to put in place to ensure employees’ health and safety in the workplace, they will wish to take into account the recently issued Government guidance on safe working arrangements.
Testing does not form part of the Government’s current recommendations. However, many employers are giving thought to whether they should conduct testing of employees in order to assist them in fulfilling their duty of care towards their employees to protect their health and safety – by ensuring so far as possible that, as employees return to the workplace, they are not exposed to colleagues who are infected with COVID-19. Employers may consider carrying out temperature or other checks as part of their health and safety measures – although taking employees’ temperatures is generally acknowledged not to be a reliable test of whether a person has COVID-19 and is not currently recommended by the Government, Acas or the World Health Organization.
If an employer does decide that testing is necessary, it will require consent from staff to undergo such a medical examination. If testing is to take place, it should be applied to all employees, as only testing certain groups who are perceived to be at a higher risk of having contracted a virus could potentially lead to discrimination claims. Employers will also need to determine, potentially in conjunction with landlords and co-tenants, how visitors to their premises will be dealt with.
Data protection and health information
From a data protection perspective, in the United Kingdom there is no explicit prohibition on testing. Nonetheless, employers need to be aware of and ensure that their approach complies with the guidance recently issued by the ICO on testing (ICO Guidance). This guidance follows on from the ICO’s earlier guidance confirming its pragmatic approach to enforcement of data protection obligations during the COVID-19 pandemic.
Lawful basis for testing
The GDPR and the Data Protection Act 2018 apply to the processing of employees’ health data. Whilst health data constitutes “special category data” for the purposes of that legislation, the ICO Guidance confirms that processing of health data by employers is permissible in general terms under the data protection legislation by virtue of their health and safety obligations – subject to the caveat that they must not collect or share irrelevant or unnecessary data.
Minimum necessary relevant information
As is the case with any personal data, but is particularly important with regard to health information as it constitutes special category data, employers should collect and retain the minimum amount of information needed for the purposes for which testing is conducted. Unnecessary or irrelevant information should not be collected.
In the context of testing, the ICO Guidance notes that employers:
- Should be able to demonstrate the reason for testing individuals or obtaining the results from tests.
- Should consider which testing options are available, to ensure that they are only collecting results that are necessary and proportionate.
- Will probably only require information about the result of a test, rather than additional details about underlying conditions.
The GDPR “accountability principle” requires employers to demonstrate their compliance with their data protection obligations by way, for example, of record keeping. The ICO Guidance recommends that employers should conduct impact assessments in relation to their processing of personal data associated with testing which should be reviewed and updated regularly. The ICO Guidance reminds employers of its template risk assessment and that a risk assessment should address:
- The activity being proposed.
- The data protection risks.
- Whether the proposed activity is necessary and proportionate.
- The mitigating actions that can be put in place to counter the risks.
- A plan or confirmation that mitigation has been effective.
Proper use of test results
The ICO Guidance confirms that, whilst employers can keep lists of those that test positive for COVID-19, they should ensure that the use of such lists does not result in any unfair or harmful treatment of employees. Examples given include inaccurate information being recorded, an employer failing to acknowledge an individual’s health status changing over time and information that has been gathered being used for purposes employees would not reasonably expect.
Personal data gathered from testing should only be shared with those within the employer’s organisation who need to process the information in order to provide a safe working environment.
Transparency and communication
The ICO Guidance makes clear that employers should be clear, open and honest with employees about how and why they wish to use their personal data and what decisions they will make with any information gathered from testing.
The ICO Guidance acknowledges that the exceptional circumstances of the pandemic mean that it may not be possible for employers to update the privacy information provided to employees in detail but indicates that, before carrying out any tests, they should at least inform staff of:
- What personal data is required.
- What it will be used for.
- Who the employer will share it with.
- How long the employer intends to keep the data for.
It would also be helpful for employers to provide employees with the opportunity to discuss the collection of such data if they have any concerns.
Security, confidentiality and retention
The ICO Guidance confirms that employers should ensure that any data processing is secure and that they consider their duties of confidentiality to employees. The ICO Guidance notes that these obligations apply equally to test results voluntarily disclosed to the employer as to information gathered from its own testing arrangements.
Data should not be retained for longer than necessary so employers need to address how they will ensure that this is achieved bearing in mind their internal data retention policies.
As data protection legislation requires employers to ensure that the personal data they hold is accurate, the ICO Guidance indicates that employers should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid.
The ICO Guidance suggests that employers may wish to put processes or systems in place to help employees exercise their information and subject access rights during the COVID-19 crisis – such as secure portals or self-service systems allowing staff to manage and update their personal data where appropriate.
Thermal cameras and other surveillance
The ICO Guidance notes that, before considering the use of thermal cameras or other surveillance for capturing health information, employers need to give specific thought to the purpose and context of, and justification for, their use – as well as whether they can achieve the same results through other, less privacy intrusive, means.
Alternatives to testing
As part of their risk assessments, and in determining whether and on what basis to conduct testing, employers will wish to consider alternative or additional measures which could include:
- Asking employees to measure their own temperature every day and not come to work if it is above a certain level.
- Asking employees to report contact with confirmed or suspected cases.
- Giving clear guidance about when employees should and should not come to work.