- I want to carry out workplace tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?
- How can I show that our approach to testing is compliant with data protection law?
- How do I decide if symptom checking, testing and the processing of employee health data is necessary?
- How do I decide what type of tests are necessary?
- Which lawful basis can I use for testing employees?
- What do I need to tell my staff about testing?
- Can I make testing or checking for COVID-19 symptoms mandatory for my staff?
- How often should I check for symptoms or test employees?
- My organisation provides or has commissioned a testing service for our employees. What information do I have to provide to employees about results?
- Some staff already have the results of tests that they have arranged for themselves. What are the data protection considerations if they tell me these results?
- Can I keep lists of employees who either have symptoms or tested as positive?
- How do I ensure I don’t collect too much data?
- Can I share the fact that someone has tested positive with other employees, and what do I need to consider if I am planning to disclose this information to third parties?
- How do I ensure that staff are able to exercise their information rights as part of this process?
- How do I decide what type of tests and checks are necessary on customers and visitors?
- What are the data protection concerns when testing international travellers when they arrive in the country?
- Case study: Asking employees if they are experiencing coronavirus symptoms
I want to carry out workplace tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?
Yes. You will be processing information that relates to an identified or identifiable person, so you need to comply with the UK GDPR and the Data Protection Act 2018. This means that you will need to handle information lawfully, fairly and transparently. Personal data that relates to health is sensitive and is classed as ‘special category data’, and requires additional safeguards.
Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe, including during the pandemic. As part of this activity you need to be responsible with people’s personal data, ensuring that you handle it with care.
The UK GDPR requires you to be able to show that you are accountable for your processing. A data protection impact assessment (DPIA) is a way of demonstrating accountability. If your organisation is going to begin testing, and therefore processing health information, then you should conduct a DPIA that focuses on the new areas of risk.
Remember that additional protections need to be in place if you are processing special category data. More guidance on this is available here.
How do I decide if symptom checking, testing and the processing of employee health data is necessary?
To help you decide whether measures such as collecting employee health information or asking staff to be tested for COVID-19 are necessary, you should consider the specific circumstances of your organisation and workplace. These include:
- the type of work you do;
- the type of premises you have; and
- other health protection measures you may have in place.
You should consider whether specific regulations or health and safety requirements apply to your organisation or staff. You should also take into account whether you have a specific duty of care to employees. This wider legal framework will help in informing how you apply data protection law.
Keep in mind that, due to its sensitivity, health data is classed as ‘special category data’ and has extra protections under data protection law.
You should be clear about what you are trying to achieve and whether personal information is necessary for that purpose. Data protection law provides you with flexibility if you can demonstrate that you need to process personal information for a specific purpose.
Once you’ve considered your circumstances, ask yourself these questions:
- Do you really need the information?
- Will these steps actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information, in particular, without health information?
If you can show that your approach is reasonable, fair and proportionate, then data protection is very unlikely to be a barrier. If staff proactively ask you to collect information in relation to COVID-19 or to undertake testing, you could use this to demonstrate that your measures are proportionate for those employees.
If you decide that it is necessary to test staff, you need to make sure you manage the information appropriately.
When considering if your approach can be less intrusive, the following questions may be useful:
- Can you confine the collection of health data to the highest risk roles?
- Can you limit access to health data, so that only medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility see it?
- Do you have reasonable alternative measures which don’t rely on personal information?
You need to consider whether the tests you select meet your reasons for running a testing regime. For example, if you’re running a testing regime to comply with your health and safety obligations as an employer, you should think about which specific tests allow you to fulfill these obligations.
You also should consider how effective these measures are at providing accurate results. You need to be mindful of the latest government advice about the most effective and reliable tests for indicating that an employee may have contracted COVID-19.
As long as there is a good reason for doing so, data protection law will provide a lawful basis for processing health data in relation to COVID-19. For public authorities carrying out their function, public task is likely to be applicable. For other public or private employers, legitimate interests is likely to be appropriate, but you need to make your own assessment for your organisation.
There are two relevant Article 9 conditions all organisations could consider – the employment condition and the public health condition.
The employment condition can be found in Article 9(2)(b) along with Schedule 1, Part 1(1) of the DPA 2018. This may apply to organisations who are testing under their employer health and safety conditions.
The public health condition can be found in Article 9(2)(i) and Schedule 1, Part 1(3) of the DPA 2018. The public health condition includes employers who are helping to stop the spread of the virus by running their own testing programmes and reporting results to relevant public health contact tracing authorities. It is important to be aware of the requirement to handle personal data with the necessary degree of confidentiality and ensure you have measures in place to do so.
Either of these conditions will cover most of what employers reasonably need to do, as long as they are not collecting or sharing irrelevant or unnecessary data.
Transparency is very important. As an employer, you should be clear, open and honest with employees and contractors from the start about how and why you need to process their personal data. This is crucial when processing health information. If you are testing employees or contractors for COVID-19 or checking for symptoms, you should be clear about what decisions you will make with that information.
Where possible, you should have clear and accessible privacy information in place for employees and contractors, before any health data processing begins.
Before carrying out any tests, you should at least let your staff know what personal data you require, what it will be used for and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees and contractors with the opportunity to discuss the collection of such data if they have any concerns.
Not necessarily. Making testing mandatory is not simply a question of data protection. You can actively encourage members of staff to be checked for symptoms or to be tested, but there are many other factors to consider, such as employment law and your contracts with employees, health and safety requirements and equalities issues. You should consider other regulations in your industry and the latest government guidance for your sector.
Data protection law applies to any personal information that you collect and use. This must be necessary, lawful, fair and transparent. If you make checks and tests mandatory, you must carefully consider whether your use of the data is fair and proportionate to the specified purpose (e.g employment or public health condition). You should take into account any potential negative consequences for individuals and whether using a voluntary approach could achieve the same or similar results. Before you put such measures in place, you must complete a data protection impact assessment.
This depends on the safety measures that your organisation needs to put in place. Any checking or testing of your staff and subsequent processing of their health information should be reasonable and proportionate to the specific circumstances including, in some cases, their role.
As an employer and a controller for your employees’ health information, and if you need to collect this information, you should decide on the appropriate timescale between tests. For example, in some sectors where interactions with vulnerable individuals are common, repeat testing may be required more often.
You also have a responsibility to take reasonable steps to ensure that you hold accurate data.
Individuals’ health status may change over time, so if you do decide to make any record of test results, you should ensure its accuracy by recording the date of the result where appropriate. You need to base any decisions you take on factually accurate information.
My organisation provides or has commissioned a testing service for our employees. What information do I have to provide to employees about results?
If your organisation is providing a service for testing employees, you must ensure that you are processing personal information lawfully, fairly and transparently.
Before carrying out any tests, you must tell your staff what personal information you require, what it will be used for and who you will share it with. If you identify either the employment or the public health condition as your condition for processing special category data and you meet the attached Schedule 1 obligations, you do not need the employee’s separate consent to receive test results. You should also tell staff how long you intend to keep the data for.
It would also be helpful for you to give employees the chance to discuss the collection of their data with you if they have any concerns. You should consider any potential negative consequences for staff and whether this means your use of their data could be unfair. Employees should also be informed about the rights they have in relation to this data, such as their right of access.
Some staff already have the results of tests that they have arranged for themselves. What are the data protection considerations if they tell me these results?
If you are only conducting a visual check by looking at a test result on a person's device or in hard copy, or only seeking verbal confirmation and not recording this information, then it will not fall under data protection law in this instance.
As an employer recording this information, any test results that your staff voluntarily disclose to you should be kept secure, and you should consider any duty of confidentiality you owe to those individuals who have provided test results. Your focus should be on making sure your use of the data is necessary and relevant and that you do not collect or share irrelevant or excessive data, if this is not required. You should consult government guidance for where you operate to determine whether you should share a positive COVID-19 test result with a contact tracing service and ensure that you are transparent with your staff about this.
Yes. If you need to collect specific health data about employees, your use of the data must be necessary and relevant for your stated purpose. You should ensure that the data processing is secure and consider any duty of confidentiality you owe to employees.
As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees, such as through recording inaccurate information or a failure to acknowledge an individual’s health status changing over time. It would also not be fair to use or retain information you collect about the number of staff who report COVID-19 symptoms for purposes they would not reasonably expect.
For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.
In order to not collect too much data, you must ensure that it is:
- adequate – enough to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
In the context of test results, do not collect unnecessary or excessive information from people. For example, you probably only require information about the test result, rather than additional details about underlying conditions. As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.
Data protection law also requires you to hold accurate personal data. As such, you should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid.
Can I share the fact that someone has tested positive with other employees, and what do I need to consider if I am planning to disclose this information to third parties?
Yes, you can share this information with staff and third parties where necessary. For example, as a notifiable disease, employers must inform public health authorities when there are two or more cases of confirmed COVID-19 as it constitutes an outbreak. You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals if possible and you should not provide more information than is necessary.
Data protection law doesn’t prevent you from sharing data with relevant authorities for public health purposes, or with the police where this is necessary and proportionate. As an employer, depending on where you operate, you may be required to inform a contact tracing scheme if an employee tests positive. You should consult the relevant government guidance for further information.
There are many routes available to share data, using some of the conditions and exemptions in the DPA 2018. You can take into account the risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach.
In order for people to be able to exercise their rights, they need to understand what personal data you hold and what you are using it for. As such, transparency is crucial and you should let your staff know how you will use their data in a way that is accessible and easy to understand.
You should ensure that staff are able to exercise their information rights. To make this easier, you may wish to put processes or systems in place that help your staff exercise their rights during the COVID-19 pandemic.
For example, in relation to the right of access (also known as subject access), you might consider setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate. This may also allow individuals to exercise other rights, such as the right to rectification or erasure of their data. Where this is not possible, you should make sure that basic policies and procedures are in place to allow employee data to be readily available when needed.
As part of the measures you are taking in response to COVID-19, you will need to make a decision on what measures are necessary. You should consult the latest government guidance for where you operate for advised measures to keep your workplace safe. Again, the onus is on you to be able to clearly explain and demonstrate that your approach is rational and fair. This could be done via a data protection impact assessment (DPIA). If you cannot demonstrate this, then it is unlikely the measure will be appropriate.
Effectiveness is an important part of showing that processing is necessary. You need to consider how effective your COVID-19 measures are in keeping the workplace safe and protect public health. These considerations are also applicable when checking members of the public. You also need to pay attention to the latest government advice about the most effective and reliable tests for indicating that an individual may have contracted COVID-19.
Organisations may be able to rely on the public health condition in Schedule 1, Part 1 (3) of the DPA 2018 to help combat the spread of COVID-19. Confidentiality is a key safeguard when relying on the public health condition, especially when processing personal data that is more sensitive, such as health information.
Organisations should ensure that they are able to fulfil any duty of confidentiality to the individuals whose information they are processing. This could be done by making it clear at the point of collection that data will be treated in confidence, and that you may disclose it for defined purposes. Where staff who are not health professionals have access to the test results, they owe an equivalent duty of confidentiality to the individual and these members of staff should be trained to handle special category health data appropriately. You should keep a record of who has had access to test results, when they had access and why they had access as a way to demonstrate your accountability.
Symptom Checking - Temperature
Taking a temperature using a digital thermometer involves the processing of personal data, even if you don’t record any information. Whether you make a record or not, you should be careful how you handle this data.
Under data protection law you must treat it as ‘special category data’, as someone could infer information about an individual’s health and could then make a decision about an individual. Therefore this technique requires a clear justification, and you should consider it as potentially intrusive.
Due to its sensitivity, you must carefully protect health data and there are strict requirements to meet to process this information.
Any decision you make based on a temperature scan could have a negative effect on an individual. For example, a customer could be refused a service based on a reading of a high temperature. In such scenarios, organisations should have policies and procedures in place so staff know how to respond to high temperature readings. Inaccurate readings are also likely to have a detrimental effect on individuals, therefore you should consider the effectiveness of temperature testing alongside the other safety measures that you implement to keep your organisation safe.
You should only consider temperature testing individuals if you are satisfied about why you are doing it. Temperature testing must be necessary and proportionate for your intended purpose.
Outside of relying on conditions relating to employment, organisations need to be able to identify an Article 6 and an Article 9 lawful basis under the UK GDPR, and where required an associated schedule condition under the DPA 2018, to process health data. Again, if relying on the public health condition, controllers should ensure that they are able to demonstrate how they ensure confidentiality over test results, in particular where the recipient is not a health professional.
What are the data protection concerns when testing international travellers when they arrive in the country?
If you are a provider of an international travel testing services, by law you must complete a declaration that your tests meet certain minimum standards.
You must also have a system in place for reporting positive, negative and inconclusive test results in accordance with your obligations under public health legislation.
If you are a testing provider (or sub-contractor) you will be processing personal data, including special category data such as ethnicity and NHS number (if known and applicable), from international travellers.
When you process such data, you must give it further protection due to its sensitivity and identify a lawful basis.
If you are relying on a third party to process personal data on your behalf, you must have a written contract in place so that both parties understand their responsibilities and liabilities.
In addition to ensuring that the collection and onward processing of this information is lawful, you must also ensure that the processing complies with the principles of data protection law and respects the rights and freedoms of individuals.
If this is a new way for you to process personal data, you should comply with the accountability principle and document your compliance prior to the processing. You can do this by carrying out a Data Protection Impact Assessment (DPIA) to help you identify and minimise the data protection risks.
Organisations have a duty to be transparent about the way they process people’s data. It is very important that you are able to clearly explain to people why you are collecting their data and how you will process it.
It may be difficult to rely on consent if you have an obligation to share test results for the purposes of public health, so the reasons for this kind of sharing must be clearly communicated to people.
You should make people aware of how long you will keep their information for, who it will be shared with, and how they can exercise their rights in respect of their personal information.
You should also make sure that your contact details, and those of any relevant regulatory body such as the Information Commissioner’s Office, are readily available in case of query or complaint.
What are the key data protection considerations?
If the company introduced a measure that involves processing personal data (such as a questionnaire), it would need to comply with data protection law – the data must be processed lawfully, fairly and transparently. It should also consider the need to complete a Data Protection Impact Assessment before any measures are put in place.
The company needs to be clear, open and honest with staff about how and why it would use their personal data, how long it would be kept for, and who it would be shared with. The staff should also be told how the information would be held securely as well as the rights they have in relation to the data.
The company may be able to use ‘legitimate interests’ as its lawful basis for the processing. Health data is ‘special category data’ under data protection law, so an additional special condition is needed for the processing to be compliant – the company’s health and safety obligations could be the relevant special condition here.
If the company can demonstrate that the processing is a necessary and proportionate way of protecting its staff and their working environment, data protection laws wouldn’t prevent it – but it needs to consider whether the proposed processing activity actually achieves that aim and whether the same result could be achieved through less intrusive means. The ideal processing solution would achieve the desired aim in the least intrusive way possible.
In making this assessment, it should keep up to date with the latest government guidance for their sector and the general requirement to self-isolate when experiencing symptoms. The company should think carefully about whether a questionnaire achieves anything different to these measures that would make it a necessary step to protecting its staff.