As more people head back to the workplace, the ICO has issued guidance for employers about what they can and can't do to when checking their employees' health status.
What's the issue?
As lockdown lifts, more people are returning to the workplace and employers are facing a raft of issues (which you can read more about here). Among these is marrying the safety requirements of the return with data protection, particularly when checking the on-site health status of employees.
What's the development?
The ICO has published guidance on workplace testing for employers in the form of Q&As. The guidance deals specifically with carrying out tests to find out whether employers have symptoms of COVID-19 (like temperature checks) or carrying out actual COVID-19 tests. In summary, the ICO says:
- Testing will involve processing special category personal data.
- The lawful basis for the testing will probably be public task for public authorities, or legitimate interests for other public and private employees, subject to carrying out the appropriate assessment.
- You should comply with the accountability and transparency requirements, carrying out a Data Protection Impact Assessment (DPIA) and keeping appropriate records.
- You should collect the minimum amount of information required to fulfil the purpose of collection. Data should be adequate, relevant and limited to what is necessary.
- You can keep lists of employees who have tested positive or who have symptoms provided it is necessary and relevant to your purpose. Ensure the data processing is secure.
- You need to be clear with employees about what data you are collecting, why you are collecting it and how you will use it. You should ideally make all required information available to employees before testing begins but if that is not possible, you should at least tell them what personal data you are processing what it will be used for, who it will be shared with and how long you are likely to keep it. If possible, give the employees the option to discuss any concerns with you.
- Inform staff about COVID cases but avoid naming individuals if possible and do not provide more information than you need to.
- Put systems in place to help staff exercise their information rights. Make sure staff know what their rights are.
- If staff disclose the results of tests outside the workplace voluntarily, make sure you only use the data where necessary and relevant. Keep it safe.
- If you are considering more intrusive technologies (like thermal cameras) to capture health information and monitor staff on an ongoing basis, you should consider whether the same results could be achieved using less intrusive means. If so, the monitoring may not be proportionate. Any monitoring of employees must be necessary and proportionate, and transparency is key. Use the DPIA template by the Surveillance Camera Commissioner and ICO.
What does this mean for you?
The ICO's guidance is high level but a useful reminder for employers on the dos and don'ts of workplace health testing – something many will not have encountered before. Listen to our recent webinar: Working alongside COVID-19 – what data protection challenges do employers face? to find out more about this and other data protection issues connected to the return to the workplace.