Many employers are now focusing on how to manage a safe return to work and one of the questions being asked is the extent to which an employer can introduce workplace testing.
Welcome Guidance has just been released by the ICO. In summary, the Guidance clarifies that workplace testing may be permissible but it must be necessary and proportionate and you must demonstrate compliance with the GDPR and Data Protection Act 2018. The key takeaways are as follows:
- Data Protection Law does not prevent you from taking the necessary steps to keep your staff and the public safe, you just need to handle personal data with care;
- Personal data that is health related is special category data and thus subject to enhanced protection;
- You must have a lawful basis for processing, for private sector employers legitimate interests can be relied on but employers must also have an Article 9 condition for processing (the employment condition most likely);
- To demonstrate accountability, you should conduct a Data Protection Impact Assessment (DPIA) covering:
- The activity;
- The risks;
- The necessity and proportionality;
- Any mitigating actions that can be taken to counter risk; and
- A plan or confirmation that mitigation has been effective.
- Only collect and retain the minimum amount of information required;
- You can keep lists of employees who have symptoms or who have tested positive but they must be necessary, relevant and secure;
- Be open with employees in relation to how and why you want to use their data and how long you intend to keep it (Transparency);
- You can keep staff informed about COVID-19 cases amongst colleagues but avoid naming individuals;
- If staff disclose the results of tests to you, make sure that results are kept secure, subject to confidentiality and you should only keep what is necessary and relevant; and
- In relation to using temperature checks or thermal cameras, you need to make the case for using this technology and you must be able to show that you can’t achieve the same result through less invasive means.
Workplace testing may not be justified in every workplace and you should adopt an approach that suits your particular working environment. Conducting a DPIA should test the necessity and proportionality of your proposed approach.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Protection team at Cleaver Fulton Rankin for further advice or information.