Client Alert
COVID-19 UK: The UK ICO Publishes Anticipated Guidance on Workplace Testing
May 15, 2020
By Sarah Pearce, Ashley Webber & Kirsty Devine
While COVID-19 continues to affect businesses and individuals globally, the conversation with respect to workplaces is starting to change. The rules of lockdown in most countries required (and continue to require) that, where possible, employees work from home: this saw a huge shift and adjustment in how organisations function and operate on a day-to-day basis. However with many countries now starting to look towards softening the lockdown rules, this has led to many employers questioning what steps they may and should take when their employees return to the workplace to ensure the spread of COVID-19 is limited. One such method of lowering the spread in the workplace which has received a lot of attention is workplace testing, particularly temperature testing. For some organisations, requiring employees to undergo anti-body testing may also be a consideration. Testing of any nature would almost certainly always require the employer to process the personal data of the employee with most instances also involving special category data i.e. health data, and therefore would be subject to the laws of data protection in the United Kingdom and European Union.
The discussion around testing is not new: certain businesses in the UK and across the EU with key workers implemented temperature testing a number of weeks ago, and with many countries considering return to work plans, the topic has been discussed at length. It is therefore unsurprising and welcome to see that the Information Commissioner’s Office (the ICO), the UK data protection regulator, has published guidance on the data protection considerations for testing employees.
The guidance from the ICO is in line with the general approach the ICO has taken throughout the COVID-19 pandemic: whilst data protection laws are not there to hinder or restrict efforts to slow down the spread of the virus, including in the development of new technologies, the laws must still be obeyed. We have discussed the ICO’s approach in several articles in recent weeks, including in our pieces on the responses from data protection regulators to the pandemic and contact tracing.
What can we learn from the guidance?
As noted above, testing employees upon return to work is not a new conversation, and whilst the ICO’s guidance is useful, it does not include any positions that have not already been widely discussed and, in certain instances, actioned. It does, however, provide helpful confirmation on the positions taken to date.
A few of the key messages are as follows:
Testing employees for symptoms of COVID-19 or the virus itself is permitted subject to complying with data protection legislation when processing any personal data related to the testing. This includes, for example, providing the employee with a privacy notice which sets out the necessary information relating the personal data and ensuring the personal data is processed securely at all times.
As most tests will involve the processing of special category data, an Article 9 exemption must also be satisfied. With respect to employees, the ICO refers to Article 9(2)(b) – processing is necessary for carrying out obligations and exercising rights in the field of employment.
A data protection impact assessment should be completed and kept under constant review throughout the testing process. If an employer intends to carry out several kinds of testing, it may be that it is appropriate to complete and maintain a data protection impact assessment for each kind of test.
Only collect the personal data that is required for the purpose. Consider, for example, that the employer implements a process to test the temperature of employees upon arrival at the workplace. If the temperature reading does not register as high in accordance with COVID-19 symptom guidance, the employer should assess whether the personal data collected should be retained at all. Employers should be able to demonstrate a justifiable reason for collecting and retaining the personal data pursuant to the testing.
Prepare a procedure for handling results of tests. This should include, for example, the approach the staff member should take if it notes a high temperature of an employee and the process for communicating to other employees if a member of staff tests positive for COVID-19. With regard to informing other employees of a positive result of another employee, the ICO notes that employers have a duty to ensure the health and safety of all employees. Therefore, from a data protection perspective, it is permitted to notify relevant employees if a staff member has tested positive. However where possible, the employer in this scenario should avoid naming the individual and provide as little information as possible to the other employees.
To the extent required by law, employers should comply with requests from data subjects to exercise their rights in respect of the personal data processed through testing.
Anything else of which to be wary?
In addition to the key messages from the ICO guidance, employers should also take the following into account when considering implementing employee testing:
The ICO guidance is targeted towards businesses that process personal data across all industries, and therefore it must be read with that in mind. It is not a blanket approval of testing each and every employee: an obligation still lies with each employer to assess whether or not testing should be carried out or not within its organisation. Several factors should be considered in this respect. For example, the number of employees and the type of workplace should both be key considerations for employers. Depending on the nature of the workplace, the fewer the employees, the less likely the spread of the virus. The less contact staff members have with one another on a day to day basis, the less likely the spread of the virus.
At this stage, the ICO guidance relates only to employees. However there will be workplaces where there are non-employees also required to attend or visit the workplace who also present a risk of spreading the virus—for example, agency workers or contractors, other service providers such as delivery companies, and visitors. Depending on the frequency and duration of the attendance at the workplace, it may be that an employer considers such individuals to also pose a degree of risk that warrants testing or the collection of additional data. If an employer does take this position, it should undertake a similar legal and practical analysis and position for such individuals as it does for its employees.
Finally, employers should be aware that data protection is not the only area of the law which is relevant to testing employees or other individuals. Other areas of the law will also be of great importance and should be analysed to ensure compliance. Of all applicable areas, arguably the most important is employment law. This means, for example, before implementing a testing procedure, employers should ensure that the testing requirement is applied equally to all employees to reduce any discrimination risk and consider whether it (or any other workplace modifications) necessitates a change to existing HR documents or policies. If it does, and those HR documents or policies are contractual in nature, employers should obtain employees’ individual consent to such changes beforehand. If employee consent is not forthcoming, employers may be required to collectively inform and consult with employees if it is proposing to dismiss and re-engage 20 or more employees on new employment terms. Even if the relevant HR documents or policies are non-contractual in nature, employers should still inform employees of any changes as a matter of good practice. Other relevant areas to consider include, for example, health and safety, property, insurance, and any existing contractual obligations/rights in place with individuals attending the workplace.
Returning to the workplace is a key focus for many businesses right now, but as we know, it also comes with the risk of spreading the virus. That said, there are many steps employers can take to make the workplace as safe as possible. As explained above, whilst many employers will be turning to testing as a key method of doing so, it should be approached with caution. From a data protection perspective, the message from the ICO remains clear: compliance with data protection principles is still key and any testing of employees should be carried out in accordance with the law.