The Information Commissioner’s Office has published guidance on how employers should handle data if they decide to test employees for Covid-19.
It reminds organisations that they still need to comply with General Data Protection Regulation (GDPR) and the Data Protection Act, which requires them to handle it “lawfully, respectfully and transparently”.
Testing and data protection
They can keep lists of employees who have either had symptoms or tested as positive, but need to ensure that the processing of this data is “necessary and relevant for the stated purpose”.
However, they must also make sure that such lists do not result in unfair or harmful treatment of employees – individuals’ health status will change over time and information could become inaccurate, the ICO advises.
If they’re sharing information with the wider workforce, they should avoid naming individuals where possible, and not provide more information than is necessary.
Because test data is sensitive medical data, it is classed as “special category data”, so subject to more stringent protection requirements. These include producing a data protection impact assessment (DPIA) and keeping detailed records of how data is categorised and documented.
The DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the activity is necessary and proportionate;
- how risk will be mitigated; and
- whether risk mitigation has been effective.
Organisations must also meet a number of conditions if they wish to process testing data – these include explicit consent from the individuals concerned and reasons for processing, such as public health or for employment protection. Essentially, “as long as there is good reason for doing so”, according to the ICO.
Employers can show that their processing of test data is compliant by using the ICO’s accountability principle, a checklist that enables them to see if they are compliant with GDPR and data protection legislation.
The ICO warns employers against collecting too much data, reminding them it “is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose”.
Where staff have arranged tests for themselves, employers should have “due regard to the security of that data” if workers have disclosed the results. If employers are considering additional measures such as temperature checks or thermal cameras on site, they must give “specific thought to the purpose and context of its use”, and make a case for collecting such data, says the ICO.
Transparency is crucial regarding any data related to testing, the ICO advises. Employers could consider setting up secure portals or self-service systems so staff can manage and update their personal data where appropriate.
The Office adds that it will continue to take a “strong regulatory approach” against any organisations breaching data protection laws to take advantage of the crisis, but acknowledges that employers’ stretched resources at the moment could impact their levels of compliance.
For example, some organisations may see a rise in Subject Access Requests from employees keen to know how their data has been used, but struggle to respond due to immediate priorities. The ICO says it will take this into account before taking formal enforcement action.
“It is inevitable that any form of testing staff would raise data protection considerations. It seems impossible to capture testing information without that falling under GDPR,” said Vinod Bange, head of the UK Data Protection & Privacy team at law firm Taylor Wessing.
“It’s a more complex equation under GDPR because health-related personal data has a special category status that means employers will need to get their ducks in a row to ensure their testing activity is lawful under GDPR and that they can demonstrate that level compliance.”
“When it comes to compliance for special category data, all roads lead to the Data Privacy Impact Assessment (DPIA) which will come under scrutiny if compliance is not as strong as it should be or indeed if simply the ICO would like to see it. In short, the DPIA will be crucial to demonstrating compliance and accountability.”
Bange added that employers should feel comfortable taking tests if they feel it will keep staff and the public safe. The ICO requires employers to be responsible with people’s personal data and ensure it is handled with care.
“So [the guidance is a] cautionary albeit welcome position for employers to take note.
“Employers beware though, the GDPR did not promise harmonisation across the EU in matters concerning employment law, so a one-size fits all staff testing policy may not work across your EU operations.”