During the current COVID-19 pandemic, the huge majority of organisations will want or need to test staff members for the virus before allowing them back into the workplace. Such testing is covered by the GDPR and Data Protection Act 2018, but as health matters are ‘special category data’ even greater care is needed in handling data. You are expected to keep your staff safe, so the Information Commissioner’s Office has published a document relating to the pandemic that you should read.
Justifying the processing of data
A good reason is required for the processing of such data. In the present situation all employers will need to exercise judgment on this, but in the majority of cases ‘public task’ will apply to public authorities and ‘legitimate interests’ to other employers. As this is ‘special category data’ employers must identify an Article 9 condition as the basis for processing it which, in this situation, commonly will be Article 9(2)(b) and Schedule 1 condition 1 of the DPA 2018. These cover health and safety in the workplace.
Explaining accountability
In order to be fully compliant with GDPR employers will need to demonstrate their accountability in handling this data, perhaps through a data protection impact assessment (DPIA). This should cover what you propose to do, justify it as necessary and proportionate, detail any risks relating to data protection and how you propose addressing them, and explain how you will demonstrate that the risks have been mitigated. It should be reviewed regularly and updated as necessary, as the situation develops. Each organisation’s DPIA will be different, but the ICO produces a template to help.
What to process
You should be collecting the minimum amount of information necessary. It must give you what you need but be relevant to the stated purpose and strictly limited to that. Employers need to consider available testing options and guard against acquiring too much detail. For example, in most cases an employer needs to know only about the COVID-19 virus and not about any other underlying health conditions. Careful records should be kept of the date of any tests as well. If you can demonstrate a need to keep a list of employees who have either tested positive or have symptoms you may do so, provided always that the information is accurate, is kept up-to-date, is kept secure and confidential, and is not used as the basis for unfair or harmful treatment of employees.
Being transparent
At all times transparency is of the utmost importance. Your staff should be fully informed of what you are doing, why, with whom the data may be shared and how long it will be held, and where possible there should be the opportunity for discussion. Explanations should be clear and given in the simplest terms possible. Where appropriate, secure access portals might be a good way to allow staff to view, amend and update personal data in order to preserve transparency. Where this is not possible, at the very least your staff should be aware of how to access this data if needed.
What can I do if I discover a risk?
Data protection law should not prevent your keeping your staff safe in the workplace. To this end, if a member of staff tests positive for COVID-19 you may need to inform the other members. This is lawful and justifiable, but employers must be vigilant as to how much information is given out. In most cases, for example, it is unnecessary to identify an individual in order to explain that COVID-19 has been detected within the workforce.
Intrusive technology
Finally, any employers who may be considering the use of temperature checks or thermal cameras need to question and justify the necessity of these more intrusive technologies. That is not to say that they are necessarily inappropriate, but if less intrusive means are available to achieve the same levels of safety then they may be excessive. Transparency between employers and staff is, again, essential here, but for those employers who are actively considering the use of such technology and believe it justifiable the ICO has again produced a helpful template to assist in the weighing of options.