Covid-19: The return to the workplace – What are the data privacy implications for employers?
All content on this page is correct as of May 19, 2020
Now that the UK Government has begun the process of lifting
certain lockdown restrictions (at least in England), employers are planning the
return of employees to the workplace. Whether that be offices, factory floors,
retail or catering premises, all employers will need to carefully consider the
requirement to provide a safe working environment.
We have already set out guidance on key considerations for
employers from an employment law perspective here.
We now turn to consider the data privacy implications for those employers
wishing to collect data from individuals in connection with a return to the
from the Information Commissioner’s Office was published around workplace
testing on 12 May 2020 to respond to a number of questions that employers are
likely to have. The ICO’s guidance makes the following main points (and our
comments are in bold following):
- Employers need to comply with data protection
law (i.e. the GDPR and Data Protection Act 2018) when carrying out tests in the
workplace for symptoms of Covid-19 or the virus. While the ICO’s guidance refers to employees and staff, employers could
also apply it to all personnel who might enter the workplace e.g. contractors
- Given we are in the middle of a public health
emergency, an employer is able to justify carrying out tests for Covid-19. But the implication is that it will become
harder to justify carrying out these tests when the danger of the public health
emergency begins to wane.
- Remember that data collected about someone’s
health is more sensitive and is classified as ‘special category data’ under the
law. Health data is broadly defined. It
is prudent to treat a negative result for a test for Covid-19 as health data.
- The most relevant lawful basis to allow such
processing of data is likely to be legitimate
interest (so an employer will need to document a Legitimate Interest
Assessment – and can use the ICO’s template)
and additionally, because it’s health data, an employer will also need to rely
on a basis for processing special category data. The ICO indicates that
employers should be able to rely on the employment
condition i.e. processing necessary for the purposes of carrying out
obligations in the field of employment, provided there are appropriate
safeguards for individuals. This is because an employer has an obligation to
provide a safe working environment. The
employment condition can be interpreted here to apply not just to employees but
workers more broadly. Additionally, it may be possible to argue that collecting
health data on contractors and visitors is also justified under this condition.
- The accountability requirement under the GDPR
means that the ICO considers that an employer should conduct a Data Protection
Impact Assessment (DPIA) if it is going to undertake testing. The ICO’s template
can be used to document this but remember that a DPIA should be regularly
reviewed and updated. An employer should
also consider whether they need to act in order to implement an Appropriate
Policy Document required under the Data Protection Act 2018.
- Employers should not collect more data than is
necessary for the purpose. So employers should only use tests that reveal
Covid-19 diagnoses rather than tests that collect information about any other
underlying health conditions. Choosing the right type of test and
ensuring that it gives accurate results is important.
- Keeping lists of individuals who have symptoms
or who have tested positive is fine but you should ensure (i) only the minimum
amount of data is recorded, (ii) such information is kept secure, and (iii) it
is not used to impact individuals in a harmful or unfair way. This means that
you need to ensure that the information is kept accurate and up to date. The use of this data must be fair to
individuals and shouldn’t be kept for longer than is necessary. Once the public health emergency begins to
subside, an employer should be thinking about how and when it can securely
delete this data.
- If a staff member chooses to disclose to their
employer the results of a test they have already taken, the employer should
ensure that the data is kept secure and confidential. No pressure should be put on staff to take tests themselves and then
disclose the results to their employer.
- Being open and transparent with individuals is
vital. It may be necessary to update existing privacy notices or provide new
ones in order to inform individuals about the tests an employer wishes to carry
out. Reviewing existing privacy notices
for employees will be essential.
- Where the circumstances justify it, an employer
can share information with other staff about potential or confirmed Covid-19
cases but should avoid naming individuals and should only share the minimum
amount of information necessary. These
types of communications should be carefully handled to ensure that only relevant
people are informed.
- An employer may also share information about
testing results with public health authorities and with the police where necessary
and proportionate. Data protection law doesn’t necessary stop you doing so. Employers wishing to disclose data to third
parties still need to ensure they have a lawful basis for doing so. Justifying
the lawful bases for disclosures to public health authorities and the police will
be more straightforward than justifying disclosures to other third
- Remember that individuals still have the ability
to exercise their rights to their personal data under the GDPR and that
includes the data collected through testing for Covid-19. The more transparent an employer is with individuals and the more it
can reassure them about how their data will be used fairly, the less likely
employers will receive requests from individuals to exercise their rights.
- The use by employers of more intrusive
technologies such as temperature checks or thermal cameras should only be used
when necessary and proportionate. The ICO will expect employers to have
considered whether they can achieve the same objective through a less privacy
intrusive means. The DPIA template
provided by the Surveillance Camera Commissioner is provided as a way of
helping employers think through the implications. Using such technologies for ongoing monitoring in the workplace raises
more complex data privacy concerns and is harder to justify.
If you have any questions, please contact Victoria Hordern on [email protected].
This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.
All content on this page is correct as of May 19, 2020.