When they return to work, I want to carry out tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?

Yes. You will be processing information that relates to an identified or identifiable individual, so, you need to comply with the GDPR and the Data Protection Act 2018. That means handling it lawfully, fairly and transparently. Personal data that relates to health is more sensitive and is classed as ‘special category data’ so it must be even more carefully protected.

Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care.

The ICO has published a document setting out our regulatory approach during the coronavirus pandemic

How can I show that our approach to testing is compliant with data protection law?

To show that your processing of test data is compliant, you will need to use the accountability principle. It makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance such as additional recording keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA). If your organisation is going to undertake testing and process health information, then you should conduct a DPIA focussing on the new areas of risk.

How do I decide if symptom checking, testing and the processing of health data of employees is necessary?

As lockdown eases and workplaces and other locations begin to reopen, employers and organisations will need to put appropriate measures in place to keep people safe.

To help you decide whether measures such as collecting employee’s health information or asking staff to be tested for COVID-19 are necessary, you should consider the specific circumstances of your organisation and workplace, including:

  • the type of work you do;
  • the type of premises you have; and
  • whether working from home is possible.

You should also consider any specific regulations or health and safety requirements that apply to your organisation or professional staff and any duty of care that you owe to them.

Keep in mind that, due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law.

You should be clear about what you are trying to achieve and whether personal information is necessary for that purpose. Data protection law provides you with flexibility, if you can demonstrate that you need to process personal information for a specific purpose.

Once you’ve considered your circumstances, ask yourself these questions:

  • Do you really need the information?
  • Will these steps actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information; in particular, health information? 

If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it’s very unlikely that data protection would be a barrier. If staff proactively ask you to collect information or to undertake testing, this could be used to demonstrate that your measures are proportionate for those employees.

If you have decided that it is necessary to test staff, you need to make sure you hold and use the information appropriately as set out in our guidance.

When considering if your approach can be less intrusive, the following examples may be useful:

  • Can the collection of health information be confined to the highest-risk roles?
  • Can access to health information be limited so that it will only be seen by medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility?
  • Are there reasonable alternative measures which don’t rely on personal information, such as strict social distancing or working from home? 

How do I decide what type of tests are necessary?

You will need to make a decision on what tests are necessary for fulfilling your health and safety obligations as an employer, as part of the measures you are taking in response to COVID-19.

You will need to consider how these measures will meet your intended purpose of keeping the workspace safe and how effective these measures are at providing accurate results. You will need to be mindful of the latest government advice about what tests are considered to be the most effective and reliable indicators that an employee may have contracted COVID-19. 

Which lawful basis can I use for testing employees?

As long as there is a good reason for doing so, you should be  able to process health data about COVID-19. For public authorities carrying out their function, public task is likely to be applicable. For other public or private employers, legitimate interests is likely to be appropriate, but you should make your own assessment for your organisation.  

Due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law. As such, employers must also identify an Article 9 condition for their processing.

The relevant condition will be the employment condition in Article 9(2)(b), along with Schedule 1 condition 1 of the DPA 2018. This applies due to their employer health and safety obligations.  This condition will cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data.   

What do I need to tell my staff?

Transparency is very important. As an employer, you should be clear, open and honest with employees from the start about how and why you wish to use their personal data. This is crucial when processing health information.  If you are testing employees for COVID-19 or checking for symptoms, you should be clear about what decisions you will make with that information.

Where possible, you should have clear and accessible privacy information in place for employees, before any health data processing begins. We recognise, however, that in this exceptional time it may not be possible to provide detailed information.

Before carrying out any tests, you should at least let your staff know what personal data is required, what it will be used for, and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees with the opportunity to discuss the collection of such data if they have any concerns.

Can I make it mandatory that my staff are checked for COVID-19 symptoms or tested?

Making testing mandatory is not simply a question of data protection. You can actively encourage members of staff to be checked for symptoms or to be tested, but there are many other factors to consider such as employment law and your contracts with employees, health and safety requirements and equalities issues. You should consider other regulations in your industry and the latest government guidance for your sector. The Government’s own testing programme is voluntary.

Data protection law will apply to any personal information that you collect and use. This must be necessary, lawful, fair and transparent. If you make checks and tests mandatory, you must carefully consider whether your use of the data is fair and proportionate. You should take into account any potential negative consequences for individuals and whether using a voluntary approach could achieve the same or similar results. Before you put such measures in place, you must complete a data protection impact assessment.

How often should I check for symptoms or test employees?

This will depend on the safety measures that your organisation needs to put in place. Any checking or testing of your staff, and subsequent processing of their health information, should be reasonable and proportionate to the specific circumstances including, in some cases, their role.

As an employer, and a controller for your employees’ health information, you will need to decide the appropriate timescale between tests. For example, in some sectors (such as health and social care) where interactions with vulnerable individuals are common, repeat testing may be required more often.

You also have a responsibility to take reasonable steps to ensure that you hold accurate data.

Individuals’ health status may change over time, so if you do decide to make any record of test results, you should ensure its accuracy by recording the date of the result where appropriate. Any decisions you take must be based on factually accurate information.

My organisation provides or has commissioned a testing service for its employees. What information do I have to provide to employees about results?

If your organisation is providing a service for testing employees, you must process personal information lawfully, fairly and transparently.

Before carrying out any tests, you must tell your staff what personal information is required, what it will be used for, and who you will share it with. You should also tell them how long you intend to keep the data for. It would also be helpful for you to provide the opportunity for employees to discuss the collection of their data with you if they have any concerns. You should consider any potential negative consequences for staff and whether this will mean your use of their data could be unfair. Employees should also be informed about the rights they have in relation to this data, such as their right of access.

Some staff already have the results of tests that they have arranged for themselves. If they disclose these results to me, what are the data protection considerations?

For any test results that are voluntarily disclosed to you, as an employer you should have due regard to the security of that data, and consider any duty of confidentiality owed to those individuals who have provided test results. Your focus should be on making sure your use of the data is necessary and relevant, and you do not collect or share irrelevant or excessive data to authorities if this is not required.

Can I keep lists of employees who either have symptoms or have been tested as positive?

Yes. If you need to collect specific health data about employees, you need to ensure the use of the data is actually necessary and relevant for your stated purpose. You should also ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.

As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees. For example, this could be due to inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time. It would also not be fair to use, or retain, information you have collected about the number of staff who have reported symptoms of COVID-19 for purposes they would not reasonably expect.

How do I ensure I don’t collect too much data?

For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.

In order to not collect too much data, you must ensure that it is:

  • adequate – enough to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

In the context of test results, you need to ensure you do not collect unnecessary or excessive information from people. For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions. Consider which testing options are available, to ensure that you are only collecting results that are necessary and proportionate. As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.

Data protection law also requires that any personal data you hold is accurate. As such, you should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid. 

Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?

You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals if possible, and you should not provide more information than is necessary.  

As an employer, it’s your duty to ensure the health and safety of all your employees. Data protection doesn’t prevent you doing this, and should not be viewed as a barrier to sharing data with authorities for public health purposes, or the police where necessary and proportionate. There are many routes available to share data, using some of the conditions and exemptions in the DPA 2018. You also need to take into account the risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach.

How do I ensure that staff are able to exercise their information rights as part of this process?

In order for individuals to exercise their rights, they need to understand what personal data you hold, and what you are using it for. As such, transparency is crucial and you should let your staff know how you will use their data in a way that is accessible and easy to understand.

You should also ensure that staff are able to exercise their information rights. To make this easier you may wish to put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis.

For example, in relation to the right of access (also known as Subject Access), you might consider setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate. This may also allow individuals to exercise other rights such as the right to rectification or erasure of their data. Where this is not possible, you should make sure that basic policies and procedures are in place to allow employee data to be readily available when needed.