We consider the ICO's guidance for organisations conducting testing of employees and provides practical advice for complying with data protection law.

As an increasing number of employers return to face-to-face contact many will, as part of their risk assessment, carry out testing or undertake other health checks to discover whether their employees have symptoms of Covid-19. The Information Commissioner's Office (“ICO”) has produced guidance to help organisations comply with data protection law when doing so. 

Why is data protection law relevant?

Employers carrying out Covid-19 testing will process personal data in receiving employee test results and so must comply with their obligations under the General Data Protection Regulation (“GDPR”) when doing so. 

Personal information about an individual's health is ‘special category' personal data. Special category personal data is given specific protection under the GDPR, which will be of particular relevance when processing information about whether an employee has symptoms of Covid-19.

What lawful bases and exemptions are applicable when processing personal data?

When processing special category personal data, an exemption to the general prohibition (under Article 9 of the GDPR) on processing such information must be identified, following which a lawful basis for processing the personal data must then be established (under Article 6 of the GDPR).

Exemption to the Article 9 prohibition on processing special category personal data

Exemptions under the GDPR (as supplemented by the UK's Data Protection Act 2018) permit the processing of special category personal data where the processing of the information is necessary for reasons of ensuring the health and safety of employees.

However, the information processed must be strictly necessary for the prevention, so excessive information shouldn't be taken. What is necessary will depend on the tasks being undertaken by your employees, relevant government guidance and the testing available.

For example, in some roles it may only be necessary to ask questions about general health, in others a temperature check may be required, others again may involve monitoring, some may need a more intrusive check of an employee's health.

Lawful basis under Article 6 of the GDPR

The lawful basis for processing testing information may well be in pursuance of a legitimate interest of the organisation (where the organisation is not a public authority) or carrying out a public task, but in each case a lawful basis analysis (including a legitimate interests assessment) should be undertaken to assess the basis on which the information is processed and any safeguards which would need to be in place. Again, the information processed should be limited to that which is necessary.

What about consent?

Consent is unlikely to be an appropriate exemption or lawful basis for processing personal data about employees, as the imbalance in power is unlikely to permit the freedom to give consent as outlined in the GDPR.

Before carrying out any testing

Employers should be open and honest with employees about the use of their health data and what decisions will be made with the information gained from Covid-19 testing. 

Employees should be informed as to how their personal data is going to be processed in the course of testing. This might be done through an updated employee privacy notice or through a separate notice to employees specific to the testing regime.

Discussions with employees, and their representatives including unions, on the proposed use of personal data in the carrying out of testing is a good way of ensuring transparency in the use of personal data.  This may be undertaken as a part of a data protection impact assessment.

Can we share results with our employees?

It is important to minimise the personal data being shared, particularly where in the case of special category personal data.

In most cases, it will be entirely possible to reveal that someone in the workplace has contracted Covid-19 without revealing their identity (or information which would identify them), removing the need to share personal data with employees.

If, as a result of particular circumstances, it is not possible to share this information without revealing the individual's identity, this should be identified before testing takes place and employees notified accordingly. Completing a data protection impact assessment would help identify this issue in good time to ensure early notification to employees.

How can we ensure we protect the personal data from the test results?

At all times, employers must ensure that they properly assess the risks to, and implement appropriate security measures to protect, personal data.

Simple steps such as password protecting or restricting access to documents can be highly effective in protecting personal data.  More advanced security measures could be appropriate and must be considered if so.

Originally published by Wrigleys Solicitors, July 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.