Coronavirus and the GDPR
Back in 2018, the shakeup of the UK data protection regime brought in by the GDPR was seemingly all anyone in business was talking about. Now in 2021, it’s fair to say that the COVID-19 pandemic has replaced almost any other topic of conversation. However, the two topics are not entirely distinct, with the pandemic throwing up a number of challenging data protection considerations for employers, specifically in relation to the processing of health information relating to employees.
We have therefore decided to explore some of these issues in two separate blogs which analyse the two key situations which can result in employers needing to process their employees’ health information during the COVID-19 pandemic.
This blog covers the data protection issues which may arise where employers decide to carry out workplace coronavirus testing and symptom monitoring. Please look out for our other blog on Coronavirus and the GDPR, which covers data processing in relation to employee absences.
The processing of health information involves “special category data” under the GDPR, which means an employer must ensure that they have both a lawful condition for processing personal data and a “specific condition” for procession special category data, and this blog explores how an employer can demonstrate these required conditions.
Employer testing programmes
During the COVID-19 pandemic, many employers may decide to monitor and test for coronavirus infections amongst its workforce. This may include an employer carrying out temperature checks to find out whether employees have a high temperature (which is one of the symptoms of coronavirus), an employer carrying out its own coronavirus testing or an employer finding out whether employees have tested positive for coronavirus through the NHS Test and Trace system.
Outside of the scope of this blog is the issue of whether an employer has the contractual right to require an employee to undergo testing or to see the results of tests. However, by way of brief summary, it is unlikely that existing employment contracts will give employers these express contractual rights, although clauses which allow employers to request a medical examination or report where ‘reasonably required’ may be wide enough to cover coronavirus testing. Even if such a contractual right exists, employers cannot force employees to take a test (or provide their results), although employees would potentially be in breach of contract if they refused to do so without good reason. The employer may also have the option of taking disciplinary action in such circumstances.
Regarding the data protection issues which arise if an employer decides to implement a testing programme, testing guidance published by the Information Commissioners Office (ICO) states that the employer should first conduct a “data protection impact assessment” (DPIA) before putting any measures in place.
A DPIA is a tool which can help employers identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow employers to identify risks and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
An employer should also be clear on the reason why it is undertaking testing of employees and the objectives of such a programme. In most cases, the objectives will likely be to keep employees safe in the workplace and to protect and enable business continuity.
In terms of lawful conditions for data processing, the objective of keeping employees safe coincides with the employer’s duty under health and safety legislation, meaning an employer’s “compliance with a legal obligation” is likely to apply, as is an employer’s “legitimate business interest” in ensuring business continuity.
Regarding a specific condition for processing special category data, an employer’s “obligations and rights under employment law” and taking steps to protect “public health” may apply. The public health condition is relevant on the basis that employers running their own testing programmes can argue that they are helping to stop the spread of coronavirus by running additional testing and reporting results to relevant public health contact tracing authorities
Each of the above processing conditions relies on the processing being ‘necessary’. Although this doesn’t necessarily mean that the processing must be absolutely essential, it does mean that it must be more than just useful (and more than just standard practice). It also means that the processing must be a targeted and proportionate way of achieving a specific purpose and the processing will not be considered necessary if the employer could reasonably achieve the stated purpose by some other less intrusive means or by processing less data.
In respect of the coronavirus pandemic, the question of whether symptom checking or testing, and the processing of related employee health information, is “necessary” involves considering the specific circumstances of the organisation and workplace, including the type of work the employer does, the type of premises it has and the amount of contact employees have with each other (amongst other things).
The employer should also consider whether it really needs the information, whether the proposed steps will actually help it provide a safe environment and whether it could achieve the same result without collecting personal information. The employer should therefore be clear about what it is trying to achieve and whether personal information is “necessary” for that purpose. If the employer can show that its approach is reasonable, fair and proportionate to the circumstances then it is ‘very unlikely’ that data protection would be a barrier
A popular type of testing carried out by many employers is temperature testing. However, government guidance suggests that there is actually little scientific evidence to support temperature screening as a reliable method for detecting coronavirus.
The ICO therefore recognises that this type of testing may require stronger justification, particularly given that it should be considered a potentially intrusive method of collecting health information.
Transparency and record keeping
Employers are ‘strongly advised’ to consult with employees before implementing any policy and to communicate clear information to staff on a range of relevant issues, including why the employer is setting up a testing programme as well as or instead of accessing the existing national programme, whether the programme is voluntary or mandatory and the consequences for employees who decline to take part in the testing programme.
Any information collected as part of the testing programme must also only be retained where this is necessary and relevant for its stated purpose. Any data which is retained must be stored securely and the principle of “data minimisation” will apply, which means that the data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In the context of test results, this means that the employer will probably only require information about the result of a test, rather than additional details about underlying conditions.
If you have any concerns about your rights and obligations when it comes to processing employee health information during the pandemic, please get in touch with the MLP Law Employment team at firstname.lastname@example.org or 0161 926 9969. Please also keep an eye out on our Twitter feed @HRHeroUK and for our other blog in this series.