ICO Guidance On Covid-19 Workplace TestingPosted in : Supplementary Articles NI on 15 May 2020
Many employers are now focusing on how to manage a safe return to work and one of the questions being asked is the extent to which an employer can introduce workplace testing.
Welcome Guidance has just been released by the ICO. In summary, the Guidance clarifies that workplace testing may be permissible but it must be necessary and proportionate and you must demonstrate compliance with the GDPR and Data Protection Act 2018. The key takeaways are as follows:
- Data Protection Law does not prevent you from taking the necessary steps to keep your staff and the public safe, you just need to handle personal data with care;
- Personal data that is health related is special category data and thus subject to enhanced protection;
- You must have a lawful basis for processing, for private sector employers legitimate interests can be relied on but employers must also have an Article 9 condition for processing (the employment condition most likely);
- To demonstrate accountability, you should conduct a Data Protection Impact Assessment (DPIA) covering:
- The activity;
- The risks;
- The necessity and proportionality;
- Any mitigating actions that can be taken to counter risk; and
- A plan or confirmation that mitigation has been effective.
- Only collect and retain the minimum amount of information required;
- You can keep lists of employees who have symptoms or who have tested positive but they must be necessary, relevant and secure;
- Be open with employees in relation to how and why you want to use their data and how long you intend to keep it (Transparency);
- You can keep staff informed about COVID-19 cases amongst colleagues but avoid naming individuals;
- If staff disclose the results of tests to you, make sure that results are kept secure, subject to confidentiality and you should only keep what is necessary and relevant; and
- In relation to using temperature checks or thermal cameras, you need to make the case for using this technology and you must be able to show that you can’t achieve the same result through less invasive means.
Workplace testing may not be justified in every workplace and you should adopt an approach that suits your particular working environment. Conducting a DPIA should test the necessity and proportionality of your proposed approach.
More on Data Protection & Freedom of Information
- Can an employer refuse a request from an unsuccessful job applicant to delete any of their data in its possession as it may be necessary for the defence of legal claims?
- If employees willingly provide personal email addresses at the start of their employment and their personal email addresses were used to contact them while they worked from home during the Coronavirus Lockdown, is this a breach of data protection?
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.