The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

When they return to work, I want to carry out tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?

Yes. You will be processing information that relates to an identified or identifiable individual, so, you need to comply with the GDPR and the Data Protection Act 2018. That means handling it lawfully, fairly and transparently. Personal data that relates to health is more sensitive and is classed as ‘special category data’ so it must be even more carefully protected.

Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care.

The ICO has published a document setting out our regulatory approach during the coronavirus pandemic

How can I show that our approach to testing is compliant with data protection law?

To show that your processing of test data is compliant, you will need to use the accountability principle. It makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance such as additional recording keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA). If your organisation is going to undertake testing and process health information, then you should conduct a DPIA focussing on the new areas of risk.

How do I decide if symptom checking, testing and the processing of health data of employees is necessary?

As lockdown eases and workplaces and other locations begin to reopen, employers and organisations will need to put appropriate measures in place to keep people safe.

To help you decide whether measures such as collecting employee’s health information or asking staff to be tested for COVID-19 are necessary, you should consider the specific circumstances of your organisation and workplace, including:

  • the type of work you do;
  • the type of premises you have; and
  • whether working from home is possible.

You should also consider any specific regulations or health and safety requirements that apply to your organisation or professional staff and any duty of care that you owe to them.

Keep in mind that, due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law.

You should be clear about what you are trying to achieve and whether personal information is necessary for that purpose. Data protection law provides you with flexibility, if you can demonstrate that you need to process personal information for a specific purpose.

Once you’ve considered your circumstances, ask yourself these questions:

  • Do you really need the information?
  • Will these steps actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information; in particular, health information? 

If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it’s very unlikely that data protection would be a barrier. If staff proactively ask you to collect information or to undertake testing, this could be used to demonstrate that your measures are proportionate for those employees.

If you have decided that it is necessary to test staff, you need to make sure you hold and use the information appropriately as set out in our guidance.

When considering if your approach can be less intrusive, the following examples may be useful:

  • Can the collection of health information be confined to the highest-risk roles?
  • Can access to health information be limited so that it will only be seen by medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility?
  • Are there reasonable alternative measures which don’t rely on personal information, such as strict social distancing or working from home? 

How do I decide what type of tests are necessary?

You will need to make a decision on what tests are necessary for fulfilling your health and safety obligations as an employer, as part of the measures you are taking in response to COVID-19.

You will need to consider how these measures will meet your intended purpose of keeping the workspace safe and how effective these measures are at providing accurate results. You will need to be mindful of the latest government advice about what tests are considered to be the most effective and reliable indicators that an employee may have contracted COVID-19. 

Which lawful basis can I use for testing employees?

As long as there is a good reason for doing so, you should be  able to process health data about COVID-19. For public authorities carrying out their function, public task is likely to be applicable. For other public or private employers, legitimate interests is likely to be appropriate, but you should make your own assessment for your organisation.  

Due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law. As such, employers must also identify an Article 9 condition for their processing.

The relevant condition will be the employment condition in Article 9(2)(b), along with Schedule 1 condition 1 of the DPA 2018. This applies due to their employer health and safety obligations.  This condition will cover most of what employers need to do, as long as they are not collecting or sharing irrelevant or unnecessary data.   

What do I need to tell my staff?

Transparency is very important. As an employer, you should be clear, open and honest with employees from the start about how and why you wish to use their personal data. This is crucial when processing health information.  If you are testing employees for COVID-19 or checking for symptoms, you should be clear about what decisions you will make with that information.

Where possible, you should have clear and accessible privacy information in place for employees, before any health data processing begins. We recognise, however, that in this exceptional time it may not be possible to provide detailed information.

Before carrying out any tests, you should at least let your staff know what personal data is required, what it will be used for, and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees with the opportunity to discuss the collection of such data if they have any concerns.

Can I make it mandatory that my staff are checked for COVID-19 symptoms or tested?

Making testing mandatory is not simply a question of data protection. You can actively encourage members of staff to be checked for symptoms or to be tested, but there are many other factors to consider such as employment law and your contracts with employees, health and safety requirements and equalities issues. You should consider other regulations in your industry and the latest government guidance for your sector. The Government’s own testing programme is voluntary.

Data protection law will apply to any personal information that you collect and use. This must be necessary, lawful, fair and transparent. If you make checks and tests mandatory, you must carefully consider whether your use of the data is fair and proportionate. You should take into account any potential negative consequences for individuals and whether using a voluntary approach could achieve the same or similar results. Before you put such measures in place, you must complete a data protection impact assessment.

How often should I check for symptoms or test employees?

This will depend on the safety measures that your organisation needs to put in place. Any checking or testing of your staff, and subsequent processing of their health information, should be reasonable and proportionate to the specific circumstances including, in some cases, their role.

As an employer, and a controller for your employees’ health information, you will need to decide the appropriate timescale between tests. For example, in some sectors (such as health and social care) where interactions with vulnerable individuals are common, repeat testing may be required more often.

You also have a responsibility to take reasonable steps to ensure that you hold accurate data.

Individuals’ health status may change over time, so if you do decide to make any record of test results, you should ensure its accuracy by recording the date of the result where appropriate. Any decisions you take must be based on factually accurate information.

My organisation provides or has commissioned a testing service for its employees. What information do I have to provide to employees about results?

If your organisation is providing a service for testing employees, you must process personal information lawfully, fairly and transparently.

Before carrying out any tests, you must tell your staff what personal information is required, what it will be used for, and who you will share it with. You should also tell them how long you intend to keep the data for. It would also be helpful for you to provide the opportunity for employees to discuss the collection of their data with you if they have any concerns. You should consider any potential negative consequences for staff and whether this will mean your use of their data could be unfair. Employees should also be informed about the rights they have in relation to this data, such as their right of access.

Some staff already have the results of tests that they have arranged for themselves. If they disclose these results to me, what are the data protection considerations?

For any test results that are voluntarily disclosed to you, as an employer you should have due regard to the security of that data, and consider any duty of confidentiality owed to those individuals who have provided test results. Your focus should be on making sure your use of the data is necessary and relevant, and you do not collect or share irrelevant or excessive data to authorities if this is not required.

Can I keep lists of employees who either have symptoms or have been tested as positive?

Yes. If you need to collect specific health data about employees, you need to ensure the use of the data is actually necessary and relevant for your stated purpose. You should also ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.

As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees. For example, this could be due to inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time. It would also not be fair to use, or retain, information you have collected about the number of staff who have reported symptoms of COVID-19 for purposes they would not reasonably expect.

How do I ensure I don’t collect too much data?

For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.

In order to not collect too much data, you must ensure that it is:

  • adequate – enough to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

In the context of test results, you need to ensure you do not collect unnecessary or excessive information from people. For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions. Consider which testing options are available, to ensure that you are only collecting results that are necessary and proportionate. As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.

Data protection law also requires that any personal data you hold is accurate. As such, you should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid. 

Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?

You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals if possible, and you should not provide more information than is necessary.  

As an employer, it’s your duty to ensure the health and safety of all your employees. Data protection doesn’t prevent you doing this, and should not be viewed as a barrier to sharing data with authorities for public health purposes, or the police where necessary and proportionate. There are many routes available to share data, using some of the conditions and exemptions in the DPA 2018. You also need to take into account the risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach.

How do I ensure that staff are able to exercise their information rights as part of this process?

In order for individuals to exercise their rights, they need to understand what personal data you hold, and what you are using it for. As such, transparency is crucial and you should let your staff know how you will use their data in a way that is accessible and easy to understand.

You should also ensure that staff are able to exercise their information rights. To make this easier you may wish to put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis.

For example, in relation to the right of access (also known as Subject Access), you might consider setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate. This may also allow individuals to exercise other rights such as the right to rectification or erasure of their data. Where this is not possible, you should make sure that basic policies and procedures are in place to allow employee data to be readily available when needed.

I want to carry out tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?

Yes. You will be processing information that relates to an identified or identifiable individual, so, you need to comply with the GDPR and the Data Protection Act 2018. That means handling it lawfully, fairly and transparently. Personal data that relates to health is more sensitive and is classed as ‘special category data’ so it must be even more carefully protected.

Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care.

The ICO has published a document setting out our regulatory approach during the coronavirus pandemic

How can I show that our approach to testing is compliant with data protection law?

To show that your processing of test data is compliant, you will need to be able to demonstrate the accountability principle. It makes you responsible for complying with the principles of GDPR and says that you must be able to demonstrate your compliance, such as additional recording keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA). If your organisation is going to undertake testing and process health information, then you should conduct a DPIA focussing on the new areas of risk.

How do I decide if symptom checking, testing and the processing of health data of employees, customers and visitors is necessary?

As lockdown eases and workplaces and other locations reopen, employers and organisations will need to put appropriate measures in place to keep people safe. This could involve symptom checking where viral or antibody testing is not appropriate. The ICO is of the view that such processing can go ahead within the current data protection framework, but the onus is on controllers to be able to clearly explain and demonstrate that their approach is rational, effective and fair.

Employment

To help you decide whether measures such as collecting employee’s health information or asking staff to be checked for COVID-19 symptoms are necessary, you should consider the specific circumstances of your organisation and workplace, including:

  • the type of work you do;
  • the amount of contact people have with each other;
  • the type of premises you have; and
  • whether working from home is possible.

You should also consider any specific regulations or health and safety requirements that apply to your organisation or professional staff and any duty of care that you owe to them.

Keep in mind that, due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law.

Once you’ve considered your circumstances, ask yourself these questions:

  • Do you really need the information?
  • Will these steps actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information; in particular, health information? 

You should be clear about what you are trying to achieve and whether personal information is necessary for that purpose. Data protection law provides you with flexibility, if you can demonstrate that you need to process personal information for a specific purpose.

If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it’s very unlikely that data protection would be a barrier. If staff proactively ask you to collect information or to undertake testing, this could be used to demonstrate that your measures are proportionate for those employees.

If you decide that it is necessary to test or check the symptoms of staff, you need to make sure you hold and use the information appropriately as set out in our guidance.

When considering if your approach can be less intrusive, the following examples may be useful:

  • Can the collection of health information be confined to the highest-risk roles?
  • Can access to health information be limited so that it will only be seen by medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility?
  • Are there reasonable alternative measures which don’t rely on personal information, such as strict social distancing or working from home?

Customers and visitors  

If your organisation is in the hospitality sector, or you provide a service to individuals on a one-to-one basis, you may wish to check the symptoms of customers or visitors who may be potential carriers of COVID-19. This may not involve established viral or antibody testing, but as above, if you can clearly demonstrate that your approach is reasonable, fair and proportionate in the circumstances, then it’s very unlikely that data protection would be a barrier to prevent the spread of COVID-19. It is important to remember that processing data relating to health requires extra protection, and you should have measures in place to ensure the confidentiality of the data you process.

Further guidance on tests and symptom checking is below.  

How do I decide what type of tests and checks are necessary on employees, customers and visitors?

As part of the measures you are taking in response to COVID-19, whether you are fulfilling your health and safety obligations as an employer, or you wish to check customers and visitors as part of a one-to-one service, you will need to make a decision on what measures are necessary. Again, the onus is on you to be able to clearly explain and demonstrate that your approach is rational and fair. This could be done via a Data Protection Impact Assessment (DPIA). If this cannot be demonstrated, then it is unlikely the measure will be appropriate.

As an employer, you will need to consider how all of your COVID-19  measures will meet your intended purpose of keeping the workspace safe and how effective these measures are at providing accurate results. These considerations are also applicable when checking members of the public. You will also need to pay attention to the latest government advice about what tests are considered to be the most effective and reliable indicators that an individual may have contracted COVID-19. 

Other than established viral or antibody tests, organisations may choose to consider alternative measures to monitor symptoms or social distancing related to COVID-19. Measures could include the use of CCTV to monitor behaviour, or methods relating to temperature checks.

Outside of employment, organisations may be able to rely on the public health condition in Schedule 1 of the DPA 2018 to help combat the spread of COVID-19. Confidentiality is a key safeguard when relying on the public health condition, especially when processing personal data that is more sensitive, such as health information.

Organisations should ensure that they are able to fulfil any duty of confidentiality to the individuals whose information they are processing. This could be done by making it clear at the point of collection that data is being provided in confidence, will be treated as confidential, and may be disclosed for defined purposes.  

Symptom Checking - Temperature

Taking a temperature involves the processing of personal data even if no information is recorded.  Under data protection law it must be treated as  ‘special category data’ as information about an individual’s health could be inferred and a decision about an individual could then be made, therefore this technique requires a stronger justification, and should be considered as a potentially intrusive technique.

Due to its sensitivity, health data must be even more carefully protected and the requirements to process this information are more strict. A thermal image of an individual also has the potential to be biometric data if it is linked to a CCTV system, that has facial recognition capabilities for the purposes of uniquely identifying someone.  

Any decision you make based on a temperature scan could have a negative effect on an individual. For example, a customer could be refused a service based on a reading of a high temperature. In such scenarios, organisations should have policies and procedures in place so staff know how to respond to elevated temperate readings. Inaccurate readings are also likely to have a detrimental effect on individuals, therefore you should consider the effectiveness of temperature testing alongside the other safety measures that you have implemented to keep your organisation safe.

You should only consider temperature testing individuals if you can strongly justify the processing, where the solution to your problem cannot be achieved through less privacy intrusive means. Temperature testing must be necessary and proportionate for your intended purpose.

Outside of relying on conditions relating to employment, organisations need to be able to identify an Article 6 and an Article 9 lawful basis under the GDPR, as well as an associated schedule condition under the DPA 2018, to process health data. Again, when relying on the public health condition, controllers should ensure that they are able to demonstrate that they will owe a duty of confidentiality to individuals, where health information is processed.