We answer the big questions UK employers have about returning to the workplace during the COVID-19 pandemic.
Can I keep records of my employees' COVID-19 health status?
Yes. Employers need to keep a record of their employees' health status to monitor who is and is not available for work. The ICO guidance on workplace testing is clear that:
"Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care."
This means that as long as the employer sticks to data protection principles when collecting and storing this data, it is free to do so. Given the data being collected relates to employees' health, particular care must be taken as it can only be processed by the employer in defined and restricted circumstances. This includes ensuring the processing is covered by a short policy document that outlines how the data protection principles will be complied with, how retention and deletion of health data is managed, and including an indication of how long the data will be held.
It is essential to store the data carefully and securely to protect the interests of the data subject and preserve confidentiality. Access to health records must be strictly limited and the records should be kept up to date (with irrelevant and out of date information destroyed).
Should I revisit the privacy notices I provide to employees?
Yes. The type of personal data being collected by employers and the reasons for collecting this data will undoubtedly change in light of the business requirement to protect the health and safety of its employees due to the COVID-19 pandemic. Privacy notices are used to enable data subjects to understand how their data is used, what data is being processed, the reasons for processing and why it is retained.
Employers who are processing their employees' data in new ways or for new purposes are therefore required to update their privacy notices to make sure that this is transparent to all concerned. As part of this it is important to communicate with employees about the new arrangements.
Will the rules for processing health data be the same across Europe?
No. Although the GDPR applies across Europe, the law allows for local variations in certain cases which can govern, for example, the ability to monitor employees' health, check for symptoms of COVID-19 (including temperature testing), and transferring health data to a new jurisdiction. Therefore, it is important to take advice on the position depending on the jurisdiction and what is planned.
In certain jurisdictions, employers are required to consult with employees about data issues using work councils. This does not usually apply in the UK, but if an employer is considering introducing new measures that impact on the use of employees' data as part of the COVID-19 risk assessment, then employees should be consulted.
Can employees be forced to take a test for COVID-19?
Maybe. The starting point is that the data protection framework does not prevent employers from taking steps to keep their staff safe. Although employers cannot usually require employees to undertake health testing it may be possible – depending on the role the employee is performing – to require them to do so where there is a good reason to do so.
Can I require employees to have their temperature taken on arrival at work?
Yes. As part of the measures to be implemented to protect employees' health and safety in the workplace, it is possible to require employees to have their temperature taken on arrival at work. If the plan is simply to check an employee or visitor's temperature on arrival at work but not to retain a record of that check, then the employer is unlikely to be processing their personal data, so there is no need to comply with data protection principles.
If the plan is to retain the health data associated with the temperature check, it is important to ascertain the legal basis for processing the data, consider the accountability principle, and use a Data Protection Impact Assessment (DPIA) to determine the necessity and proportionality of taking this step.
Employers need to consider how much importance to place on temperature testing as a way to protect employees' health – after all, temperature is only one symptom of COVID-19. It is also important to ensure that if temperature records are retained, they are accurate, and that historical records are deleted, as this information will soon become obsolete.
What about using thermal cameras?
Maybe. Caution should be used if considering using thermal cameras to take the temperature of those arriving at a workplace. Thermal cameras can be more intrusive than taking temperatures using a thermometer. Care must therefore be taken to first assess the privacy risks associated with the proposed use of such cameras, how they work, what personal data they will process, and whether less intrusive alternatives are available, in order to make sure that the use of such technology is proportionate. This may mean employers must undertake a DPIA before committing to using this technology.
Can I monitor remote working employees' productivity?
Maybe. Employers are neither expressly allowed to monitor employees' systems nor are they prevented from doing so. The position has not changed because of COVID-19, but the justification for taking steps to monitor productivity may have.
The starting point, as with other areas where monitoring is intrusive, is to carry out a DPIA. Crucially, employees need to be informed that their productivity is being monitored. They need to understand in what circumstances their work will be monitored, what will be monitored, how the information obtained will be used, and what safeguards are in place for those who are subject to monitoring. This is because there is a clear expectation of privacy when people are at work.
In practice, employers should try to reduce the impact on staff by not monitoring the content of emails, and rather monitoring the times when emails are sent, the number of emails sent, and the headings of those emails, to ensure workers are working productively. Employees should be told to mark private emails as private, and these should be excluded from the monitoring process.
Can staff be informed that a colleague has contracted COVID-19?
Yes, but the identity of the colleague must be kept confidential, unless it is not possible to avoid disclosing it. Employees must be notified of the risk of infection as soon as possible to protect their health and safety, but in doing so, the employer should avoid disclosing the identity of the person who is unwell. The ICO guidance for employers provides that they should not disclose more information than is necessary and, in most cases, it will not be necessary to name the individual.
Employers should therefore advise employees that a colleague who has been in the workplace has been infected and that appropriate precautions must be taken in line with the business' health and safety at work assessment.
Can I share details of infected employees with the authorities?
Yes. Health data can be shared where it is necessary for public health purposes and data protection law would not stand in the way of making a disclosure in response to a properly framed request. It is important to understand the basis for any request and, once that has been clarified, to be clear about the lawful basis for sharing this data. Employers do need to consider whether the request can be satisfied by providing anonymous data rather than specific data about employees. In the majority of cases, this should be possible.
Can I introduce a requirement that employees download and use a contact tracing app?
Maybe. In workplaces where it is difficult to guarantee social distancing, employers could introduce a requirement that employees who have a device provided by the employer download a contact tracing app. The justification being that it is required to protect health and safety and minimise sickness absence.
If the employer intends to process personal data produced as a result of the employee using the app it will need to have a lawful basis for processing this data and comply with the GDPR and Data Protection Act 2018, including by conducting a prior assessment of the risk of the processing. It is difficult to rely on consent in an employment context as the basis for processing data due to the inherent imbalance in the relationship between the employer and employee and any legitimate interests grounds for such processing may be harder to justify where the nature of the solution proposed is not proportionate.
The issue is not straightforward. If employers are going to insist that employees use an app, they need to be confident that the app is secure. It is questionable whether employers can require employees to use the app outside given the privacy implications but the app may be less effective if it is only used in the workplace, raising the question of whether it is really justified.
In practice, the employer will be forced to rely on employees self-declaring that they have come into contact with someone who is infected. If employees who are required to self-isolate are only paid Statutory Sick Pay, they may be less inclined to self-isolate if they have no obvious symptoms, even though they may be infectious.
More information
The ICO and UK government are likely to publish further guidance on contact tracing apps and this will be helpful for employers considering introducing such a requirement to their workplaces, given the complexity of the issue and the factors that need to be balanced. The ICO's coronavirus information hub collates guidance on data protection issues during the pandemic and has recently updated its advice for organisations. This includes FAQs for employers, as well as more detailed guidance on testing, surveillance, and data subject rights.
This article is part of a series on HR data appearing on Global Data Hub, our microsite dedicated to exploring legal issues related to data protection and cybersecurity.