While employers are considering how to bring their employees back to work safely as the lockdown is partially lifted, it’s important not to overlook the data protection aspects involved in back-to-work planning. On 13 May, the Information Commissioner’s Office (“ICO”) issued guidance to help employers.
If your risk assessment concludes that you need to test staff for COVID-19 or record any symptoms of the virus, you will need to take the following steps to comply with your data protection obligations (which are set out in the most likely chronological order).
1. Undertake a data protection impact assessment
A central plank to data protection compliance is demonstrating compliance, so before you start collecting information you need to have assessed the impact on individuals. You do that by undertaking a data protection impact assessment (DIPA) which should record:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
The ICO has a template which organisations can use to help them focus on the minimum requirements.
Remember that necessity and proportionality are key data protection principles. If you are considering using temperature checks or thermal cameras, bear in mind that they are considered more instructive and you will really need to be able to justify their use, particularly given that not all COVID-19 sufferers have a raised temperature and people can be asymptomatic for days while being infectious so will temperature checks really tell you if it’s safe for staff to be in the office? If you can achieve the same results through other, less privacy-intrusive means, you should do so. Before you implement any form of thermal cameras you should read the ICO’s and Surveillance Camera Commissioner (SCC)’s updated SCC DPIA template.
2. Consider the lawful basis for processing the data
Employers need a lawful reason to process all personal data. The ICO says that processing data about COVID-19 infection or symptoms is likely to be for the employers’ legitimate interests. However, we would have considered that it’s also likely to be for compliance with a legal obligation, i.e. the employer’s duty under the Health and Safety at Work Act to provide a safe working environment. Compliance with a legal obligation is an absolute ground on which to process data and doesn’t require an assessment between the employer’s legitimate interests and the staff’s rights, so employers may consider compliance with a legal obligation a more convenient lawful basis to rely upon.
As health data is special category data, employers will need a general lawful basis (as explained above) and a special category basis to process the data. Interestingly, the ICO states that the lawful special category basis will be compliance with employment law due to the employer’s health and safety obligations, so this supports using compliance with a legal obligation as the general lawful ground to process the data.
3. Tell your staff
Transparency is a core data protection principle. Before you collect any COVID-19-related data you need to tell your staff:
- what data you will be collecting;
- why you need that data;
- how you will use the data i.e. what decisions will be based on that data;
- who you will share the information with;
- how long you will hold it;
- ideally who they should contact if they have any concerns about their health data being collected; and
- about their rights to access the data held about them.
The above information should be provided in a privacy notice – either a specific COIVD-19 notice or via updating your general staff privacy notice. The ICO does recognise that “in this exceptional time it may not be possible to provide detailed information”. Nonetheless, basic details of the above still need to be provided to staff (and visitors if they will be asked to provide health data) before the data is collected.
4. Limit the data which you collect
Your DIPA should have identified what data you actually need. You should not gather more data than you need.
For example, if you are taking temperature readings, do you need to record the actual temperature or only if it is normal or above 38C?
While the fact that someone suffers from underlying health conditions may make the virus more dangerous to them, do you need to record the exact details of their health conditions or is it sufficient to know that they are in the clinically very vulnerable or vulnerable categories?
You need to be able to demonstrate why you need the extent of the data which you are collecting.
5. Record the date when data is collected
Clearly test results and symptoms may change over time. Data must be accurate, so you need to keep records of when the data was collected as it is likely to become inaccurate over time.
6. Use the data for the reasons which you said you would
If you realise that you need to use the information for another reason than you have told the staff, you must tell your employees about the other reason before processing the data for the second purpose. For example, you may have been focused on obtaining data to ensure that no-one with symptoms enters the workplace but later realise that you need to use the fact that they are symptomatic to process SSP for them as they now need to self-isolate. There is nothing wrong with processing the data for the second purpose but if you have forgotten to mention that to staff and told them that you will only process the data for the initial purposes, you need to update them.
7. Keep the data secure
As with all health data, COVID-19-related data needs to be kept secure, so while it will, for example, be legitimate to keep lists of your staff who have symptoms, leaving a hard copy on a desk is quite inappropriate – health data must be kept particularly secure.
8. Only share data to the extent you need to
The ICO confirms that you can tell employees that potential or confirmed cases have been established in the workplace but says that you “should avoid naming individuals if possible” and you should “not provide more information than is necessary”. Not naming individuals may be impractical or ineffective; if you need to tell members of a team that one of the team has tested positive and so they need to be tested, the absence of one person from the workplace the following day is a good indicator of who tested positive. Further, it may be necessary to ask your workforce if they have been in contact with a particular person, which can only be done by naming them. However, the point is to consider if naming the individual or otherwise revealing their identity is necessary for your particular purpose.
9. Review your initial data protection impact assessment
Frankly, it’s unlikely that your initial DIPA will consider every eventuality so as things develop particularly in a fast-moving crisis situation, new risks and benefits may emerge, which need to be considered and assessed.
For more information on workplace testing and the related issues employers need to consider, please contact Rachel Tozer.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.