What must I consider about data protection law when testing staff members for COVID-19 on their return to work?