With more people now returning to work, and businesses mindful of their obligation to keep employees safe, many employers are looking to introduce some form of workplace testing for their staff. This could range from routine temperature checking to specific COVID-19 testing.

Since this testing naturally involves processing an individual's health data, as an employer you will need to consider some key privacy questions before starting tests. This article focuses on five of the key questions.

Q1. What lawful basis do you have for processing the personal data you obtain through workplace testing?

A: For private sector employees, the most obvious lawful ground will be legitimate interests. However, you should only reach this conclusion after conducting a legitimate interest assessment (LIA), to ensure your interests in carrying out the testing do not outweigh the privacy concerns of staff.

Legal obligation may also be a relevant lawful ground, where the testing is considered necessary for you to comply with your health and safety obligations towards its staff.

Q2. What other obligations arise from processing health data?

A: Health data is a form of special category data, which requires employers to identify one of the Article 9 (GDPR) conditions for processing. In most cases, you should be able to rely on the "employment condition" (9(2)(b) GDPR), where the processing is necessary for you to meet your health and safety obligations.

If you are relying on this condition, you'll also need to have an appropriate policy document in place, showing how you will comply with your core obligations under the GDPR, and how long you will retain the data.

Q3. Is a data protection impact assessment (DPIA) required?

A: When an employer introduces a new form of health-related testing, they should first conduct a DPIA focussing on any risks this processing may generate. As a minimum, your DPIA should set out (in writing): the nature of the testing being proposed; the potential data protection risks this poses; whether the testing is necessary and proportionate; and the steps you can take to mitigate any potential data protection risks.

The DPIA should be completed in addition to the LIA document. In light of the fast-changing current situation, we recommend you regularly review and update the DPIA.

Q4. What else must you consider when carrying out testing?

A: As with all data processing, employers must comply with the core principles of the GDPR. Amongst other things, you must ensure the data being processed is adequate, relevant, accurate and limited to what is required to achieve the purpose of the testing.

Q5. What should you tell your staff about testing?

A: As with all employment matters concerning the current pandemic, communicating with staff is vital. You should be transparent with staff about testing, which means telling them why and how you are carrying out the testing and what you will do with the data that is collected.

Although your general employee privacy notice may already cover conducting some form of staff testing/examining, in our view it is unlikely to be specific enough to cover any new testing for COVID-19 purposes. This means you will need to give employees extra information prior to testing.

GDPR compliance

The Information Commissioner's Office (ICO) has recently published its own guidance for employers on workplace testing.

Originally published 20 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.