Navigating the new normal

Covid-19: The return to the workplace – What are the data privacy implications for employers?


All content on this page is correct as of May 19, 2020

Now that the UK Government has begun the process of lifting certain lockdown restrictions (at least in England), employers are planning the return of employees to the workplace. Whether that be offices, factory floors, retail or catering premises, all employers will need to carefully consider the requirement to provide a safe working environment.

We have already set out guidance on key considerations for employers from an employment law perspective here. We now turn to consider the data privacy implications for those employers wishing to collect data from individuals in connection with a return to the workplace.

Guidance from the Information Commissioner’s Office was published around workplace testing on 12 May 2020 to respond to a number of questions that employers are likely to have. The ICO’s guidance makes the following main points (and our comments are in bold following):

  • Employers need to comply with data protection law (i.e. the GDPR and Data Protection Act 2018) when carrying out tests in the workplace for symptoms of Covid-19 or the virus. While the ICO’s guidance refers to employees and staff, employers could also apply it to all personnel who might enter the workplace e.g. contractors and visitors.
  • Given we are in the middle of a public health emergency, an employer is able to justify carrying out tests for Covid-19. But the implication is that it will become harder to justify carrying out these tests when the danger of the public health emergency begins to wane.
  • Remember that data collected about someone’s health is more sensitive and is classified as ‘special category data’ under the law. Health data is broadly defined. It is prudent to treat a negative result for a test for Covid-19 as health data.
  • The most relevant lawful basis to allow such processing of data is likely to be legitimate interest (so an employer will need to document a Legitimate Interest Assessment – and can use the ICO’s template) and additionally, because it’s health data, an employer will also need to rely on a basis for processing special category data. The ICO indicates that employers should be able to rely on the employment condition i.e. processing necessary for the purposes of carrying out obligations in the field of employment, provided there are appropriate safeguards for individuals. This is because an employer has an obligation to provide a safe working environment. The employment condition can be interpreted here to apply not just to employees but workers more broadly. Additionally, it may be possible to argue that collecting health data on contractors and visitors is also justified under this condition.
  • The accountability requirement under the GDPR means that the ICO considers that an employer should conduct a Data Protection Impact Assessment (DPIA) if it is going to undertake testing. The ICO’s template can be used to document this but remember that a DPIA should be regularly reviewed and updated. An employer should also consider whether they need to act in order to implement an Appropriate Policy Document required under the Data Protection Act 2018.
  • Employers should not collect more data than is necessary for the purpose. So employers should only use tests that reveal Covid-19 diagnoses rather than tests that collect information about any other underlying health conditions.  Choosing the right type of test and ensuring that it gives accurate results is important.
  • Keeping lists of individuals who have symptoms or who have tested positive is fine but you should ensure (i) only the minimum amount of data is recorded, (ii) such information is kept secure, and (iii) it is not used to impact individuals in a harmful or unfair way. This means that you need to ensure that the information is kept accurate and up to date. The use of this data must be fair to individuals and shouldn’t be kept for longer than is necessary.  Once the public health emergency begins to subside, an employer should be thinking about how and when it can securely delete this data.
  • If a staff member chooses to disclose to their employer the results of a test they have already taken, the employer should ensure that the data is kept secure and confidential. No pressure should be put on staff to take tests themselves and then disclose the results to their employer.
  • Being open and transparent with individuals is vital. It may be necessary to update existing privacy notices or provide new ones in order to inform individuals about the tests an employer wishes to carry out. Reviewing existing privacy notices for employees will be essential.
  • Where the circumstances justify it, an employer can share information with other staff about potential or confirmed Covid-19 cases but should avoid naming individuals and should only share the minimum amount of information necessary. These types of communications should be carefully handled to ensure that only relevant people are informed.
  • An employer may also share information about testing results with public health authorities and with the police where necessary and proportionate. Data protection law doesn’t necessary stop you doing so. Employers wishing to disclose data to third parties still need to ensure they have a lawful basis for doing so. Justifying the lawful bases for disclosures to public health authorities and the police will be more straightforward than justifying disclosures to other third parties.   
  • Remember that individuals still have the ability to exercise their rights to their personal data under the GDPR and that includes the data collected through testing for Covid-19. The more transparent an employer is with individuals and the more it can reassure them about how their data will be used fairly, the less likely employers will receive requests from individuals to exercise their rights.
  • The use by employers of more intrusive technologies such as temperature checks or thermal cameras should only be used when necessary and proportionate. The ICO will expect employers to have considered whether they can achieve the same objective through a less privacy intrusive means. The DPIA template provided by the Surveillance Camera Commissioner is provided as a way of helping employers think through the implications. Using such technologies for ongoing monitoring in the workplace raises more complex data privacy concerns and is harder to justify.

If you have any questions, please contact Victoria Hordern on [email protected].


This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of May 19, 2020.

How can we help?