Covid-19: The return to the workplace – What are the data privacy implications for employers?

Posted on 19 May 2020

Now that the UK Government has begun the process of lifting certain lockdown restrictions (at least in England), employers are planning the return of employees to the workplace. Whether that be offices, factory floors, retail or catering premises, all employers will need to carefully consider the requirement to provide a safe working environment.

We have already set out guidance on key considerations for employers from an employment law perspective here. We now turn to consider the data privacy implications for those employers wishing to collect data from individuals in connection with a return to the workplace.

Guidance from the Information Commissioner’s Office was published around workplace testing on 12 May 2020 to respond to a number of questions that employers are likely to have. The ICO’s guidance makes the following main points (and our comments are in bold following):

Employers need to comply with data protection law (i.e. the GDPR and Data Protection Act 2018) when carrying out tests in the workplace for symptoms of Covid-19 or the virus. While the ICO’s guidance refers to employees and staff, employers could also apply it to all personnel who might enter the workplace e.g. contractors and visitors.
Given we are in the middle of a public health emergency, an employer is able to justify carrying out tests for Covid-19. But the implication is that it will become harder to justify carrying out these tests when the danger of the public health emergency begins to wane.
Remember that data collected about someone’s health is more sensitive and is classified as ‘special category data’ under the law. Health data is broadly defined. It is prudent to treat a negative result for a test for Covid-19 as health data.
The most relevant lawful basis to allow such processing of data is likely to be legitimate interest (so an employer will need to document a Legitimate Interest Assessment – and can use the ICO’s template) and additionally, because it’s health data, an employer will also need to rely on a basis for processing special category data. The ICO indicates that employers should be able to rely on the employment condition i.e. processing necessary for the purposes of carrying out obligations in the field of employment, provided there are appropriate safeguards for individuals. This is because an employer has an obligation to provide a safe working environment. The employment condition can be interpreted here to apply not just to employees but workers more broadly. Additionally, it may be possible to argue that collecting health data on contractors and visitors is also justified under this condition.
The accountability requirement under the GDPR means that the ICO considers that an employer should conduct a Data Protection Impact Assessment (DPIA) if it is going to undertake testing. The ICO’s template can be used to document this but remember that a DPIA should be regularly reviewed and updated. An employer should also consider whether they need to act in order to implement an Appropriate Policy Document required under the Data Protection Act 2018.
Employers should not collect more data than is necessary for the purpose. So employers should only use tests that reveal Covid-19 diagnoses rather than tests that collect information about any other underlying health conditions. Choosing the right type of test and ensuring that it gives accurate results is important.
Keeping lists of individuals who have symptoms or who have tested positive is fine but you should ensure (i) only the minimum amount of data is recorded, (ii) such information is kept secure, and (iii) it is not used to impact individuals in a harmful or unfair way. This means that you need to ensure that the information is kept accurate and up to date. The use of this data must be fair to individuals and shouldn’t be kept for longer than is necessary. Once the public health emergency begins to subside, an employer should be thinking about how and when it can securely delete this data.
If a staff member chooses to disclose to their employer the results of a test they have already taken, the employer should ensure that the data is kept secure and confidential. No pressure should be put on staff to take tests themselves and then disclose the results to their employer.
Being open and transparent with individuals is vital. It may be necessary to update existing privacy notices or provide new ones in order to inform individuals about the tests an employer wishes to carry out. Reviewing existing privacy notices for employees will be essential.
Where the circumstances justify it, an employer can share information with other staff about potential or confirmed Covid-19 cases but should avoid naming individuals and should only share the minimum amount of information necessary. These types of communications should be carefully handled to ensure that only relevant people are informed.
An employer may also share information about testing results with public health authorities and with the police where necessary and proportionate. Data protection law doesn’t necessary stop you doing so. Employers wishing to disclose data to third parties still need to ensure they have a lawful basis for doing so. Justifying the lawful bases for disclosures to public health authorities and the police will be more straightforward than justifying disclosures to other third parties.
Remember that individuals still have the ability to exercise their rights to their personal data under the GDPR and that includes the data collected through testing for Covid-19. The more transparent an employer is with individuals and the more it can reassure them about how their data will be used fairly, the less likely employers will receive requests from individuals to exercise their rights.
The use by employers of more intrusive technologies such as temperature checks or thermal cameras should only be used when necessary and proportionate. The ICO will expect employers to have considered whether they can achieve the same objective through a less privacy intrusive means. The DPIA template provided by the Surveillance Camera Commissioner is provided as a way of helping employers think through the implications. Using such technologies for ongoing monitoring in the workplace raises more complex data privacy concerns and is harder to justify.

If you have any questions, please contact Victoria Hordern on [email protected].

Practical tips for deploying AI

With AI integration becoming increasingly common, it is vital that businesses deploy AI systems in a way that complies with …

Data Protection and Digital Information Bill

Summary Ministers have set out a vision for the UK’s technology strategy. The UK is to become a “tech superpower” …

Election ’24: The data protection considerations of political campaigning (part two)

Communicating with individuals and processing personal data are an essential part of campaigning and advocacy. Read our latest Election '24 factsheet on the data protection rules that you should bear in mind.

EdTech and the application of the ICO Children’s Code

In this factsheet, we briefly outline when the ICO's Children's Code applies to Edtech providers and other key data protection considerations for schools and Edtech service providers.

Election ’24: Data protection and political campaigning (part one)

Communicating with individuals and processing personal data are an essential part of any political campaign. But it is important to …

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others