Personnel Today
  • OHW+
  • Resources
    • Clinical governance
    • Disability
    • Ergonomics
    • Health surveillance
    • OH employment law
    • OH service delivery
    • Research
    • Return to work and rehabilitation
    • Sickness absence management
    • Wellbeing and health promotion
  • Conditions
    • Mental health
    • Musculoskeletal disorders
    • Blood pressure
    • Cancer
    • Cardiac
    • Dementia
    • Diabetes
    • Respiratory
    • Stroke
  • CPD
  • Webinars
  • Jobs
  • Personnel Today

Personnel Today

Register
Log in
Personnel Today
  • OHW+
  • Resources
    • Clinical governance
    • Disability
    • Ergonomics
    • Health surveillance
    • OH employment law
    • OH service delivery
    • Research
    • Return to work and rehabilitation
    • Sickness absence management
    • Wellbeing and health promotion
  • Conditions
    • Mental health
    • Musculoskeletal disorders
    • Blood pressure
    • Cancer
    • Cardiac
    • Dementia
    • Diabetes
    • Respiratory
    • Stroke
  • CPD
  • Webinars
  • Jobs
  • Personnel Today

General Data Protection RegulationCoronavirusTestingData protectionHealth and safety

ICO guidance on workplace coronavirus testing published

by Jo Faragher 13 May 2020
by Jo Faragher 13 May 2020 Employers must be 'lawful, respectful and transparent' in how they collect and process test data, says the ICO
Shutterstock
Employers must be 'lawful, respectful and transparent' in how they collect and process test data, says the ICO
Shutterstock

The Information Commissioner’s Office has published guidance on how employers should handle data if they decide to test employees for Covid-19.

It reminds organisations that they still need to comply with General Data Protection Regulation (GDPR) and the Data Protection Act, which requires them to handle it “lawfully, respectfully and transparently”.

Testing and data protection

Employers can now refer essential workers for coronavirus tests 

Data protection impact assessment form

They can keep lists of employees who have either had symptoms or tested as positive, but need to ensure that the processing of this data is “necessary and relevant for the stated purpose”.

However, they must also make sure that such lists do not result in unfair or harmful treatment of employees – individuals’ health status will change over time and information could become inaccurate, the ICO advises.

If they’re sharing information with the wider workforce, they should avoid naming individuals where possible, and not provide more information than is necessary.

Because test data is sensitive medical data, it is classed as “special category data”, so subject to more stringent protection requirements. These include producing a data protection impact assessment (DPIA) and keeping detailed records of how data is categorised and documented.

The DPIA should set out:

  • the activity being proposed;
  • the data protection risks;
  • whether the activity is necessary and proportionate;
  • how risk will be mitigated; and
  • whether risk mitigation has been effective.

Organisations must also meet a number of conditions if they wish to process testing data – these include explicit consent from the individuals concerned and reasons for processing, such as public health or for employment protection. Essentially, “as long as there is good reason for doing so”, according to the ICO.

Employers can show that their processing of test data is compliant by using the ICO’s accountability principle, a checklist that enables them to see if they are compliant with GDPR and data protection legislation.

The ICO warns employers against collecting too much data, reminding them it “is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose”.

Where staff have arranged tests for themselves, employers should have “due regard to the security of that data” if workers have disclosed the results. If employers are considering additional measures such as temperature checks or thermal cameras on site, they must give “specific thought to the purpose and context of its use”, and make a case for collecting such data, says the ICO.

Transparency is crucial regarding any data related to testing, the ICO advises. Employers could consider setting up secure portals or self-service systems so staff can manage and update their personal data where appropriate.

The Office adds that it will continue to take a “strong regulatory approach” against any organisations breaching data protection laws to take advantage of the crisis, but acknowledges that employers’ stretched resources at the moment could impact their levels of compliance.

For example, some organisations may see a rise in Subject Access Requests from employees keen to know how their data has been used, but struggle to respond due to immediate priorities. The ICO says it will take this into account before taking formal enforcement action.

“It is inevitable that any form of testing staff would raise data protection considerations.  It seems impossible to capture testing information without that falling under GDPR,” said Vinod Bange, head of the UK Data Protection & Privacy team at law firm Taylor Wessing.

“It’s a more complex equation under GDPR because health-related personal data has a special category status that means employers will need to get their ducks in a row to ensure their testing activity is lawful under GDPR and that they can demonstrate that level compliance.”

“When it comes to compliance for special category data, all roads lead to the Data Privacy Impact Assessment (DPIA) which will come under scrutiny if compliance is not as strong as it should be or indeed if simply the ICO would like to see it.  In short, the DPIA will be crucial to demonstrating compliance and accountability.”

Bange added that employers should feel comfortable taking tests if they feel it will keep staff and the public safe. The ICO requires employers to be responsible with people’s personal data and ensure it is handled with care.

“So [the guidance is a] cautionary albeit welcome position for employers to take note.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

“Employers beware though, the GDPR did not promise harmonisation across the EU in matters concerning employment law, so a one-size fits all staff testing policy may not work across your EU operations.”

  Workforce planning opportunities on Personnel Today

Browse more workforce planning jobs

Jo Faragher

Jo Faragher has been an employment and business journalist for 20 years. She regularly contributes to Personnel Today and writes features for a number of national business and membership magazines. Jo is also the author of 'Good Work, Great Technology', published in 2022 by Clink Street Publishing, charting the relationship between effective workplace technology and productive and happy employees. She won the Willis Towers Watson HR journalist of the year award in 2015 and has been highly commended twice.

previous post
Frontline operational staff struggle to raise concerns
next post
Migration Advisory Committee consults on skills shortages

1 comment

Mark Bennett 12 Mar 2021 - 6:45 am

Twice a week i am prodded about like a lab rat. Always come up covid free. Asymptomatic is an unproven myth. Everyone passes every time. Pointless waste of time. And we are still subject to masks and tempurature tests. At least if my employer would be reasonable and drop those as we are tested but no. It will backfire when the lawyers start. I was hurt by the lateral flow tests twice. Employers are box ticking under the guise of staff care. Staff see through it.

Comments are closed.

You may also like

Restaurant tips should be included in holiday pay

21 May 2025

Fewer workers would comply with a return-to-office mandate

21 May 2025

Redefining leadership: From competence to inclusion

21 May 2025

Pay awards in real terms could fall for...

21 May 2025

Ryanair demands flight attendants pay back salary increase

21 May 2025

Consultation launched after Supreme Court ‘sex’ ruling

20 May 2025

Uncertainty over law hampering legal use of medical...

20 May 2025

Black security manager awarded £360k after decade of...

20 May 2025

Employers ‘worryingly’ ignorant about stress risk assessments

20 May 2025

UK and EU agree to collaborate on ‘youth...

19 May 2025

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • OHW+
  • Resources
    • Clinical governance
    • Disability
    • Ergonomics
    • Health surveillance
    • OH employment law
    • OH service delivery
    • Research
    • Return to work and rehabilitation
    • Sickness absence management
    • Wellbeing and health promotion
  • Conditions
    • Mental health
    • Musculoskeletal disorders
    • Blood pressure
    • Cancer
    • Cardiac
    • Dementia
    • Diabetes
    • Respiratory
    • Stroke
  • CPD
  • Webinars
  • Jobs
  • Personnel Today