ICO releases guidance for employers on workplace testing

22 June 2020

The Information Commissioner’s Office (ICO) has released new guidance on workplace testing which sets out the data protection considerations for employers carrying out tests for Covid-19 symptoms on workers returning to work.

The ICO’s Workplace testing guidance for employers (which was updated on 16 June 2020) follows the earlier publication of workplace safety guidance by the government, which is now encouraging more workplaces to re-open as the Covid-19 lockdown restrictions begin to be eased. Many employers are considering testing employees and visitors (for example using non-contact digital thermometers to take temperature readings on entry and exit) in order to keep their workplaces safe.

There is no suggestion that testing for Covid-19 symptoms should become routine in workplaces in the UK. However, there is also no explicit prohibition on this sort of testing in the UK and, unlike other European Supervisory Authorities, the ICO does not rule out the possibility of employers using testing in an effort to return workers to safe workplaces. However, the ICO’s guidance emphasises that businesses must still comply with the GDPR and the Data Protection Act 2018 in processing data lawfully, fairly and transparently. We explain what this means in practice below.

Data protection considerations when carrying out workplace testing

Lawful basis: Employee health data can be processed if there is a good reason for doing so. Employers are likely to be able to rely on the fact that it is in an organisation’s legitimate interests to provide a safe workplace. Given the sensitivity of the data likely to be processed, an additional legal basis is required, and this is likely to be that the data is processed because the employer has a legal obligation to provide a healthy and safe workplace.

Necessity: Only the data that is needed to provide a safe environment should be processed. For example, if an employee needs to be below a certain temperature to enter a workplace – it is enough to simply know that the employee is below that temperature at the time of entry. An employer would not need to make a record of that temperature for future reference. Only data that is required should be recorded.

Proportionality: The key is to consider workers’ reasonable expectations and ensure that data is only being processed as far as necessary. The guidance gives the example of an employer only needing to know the result of a test, rather than any further information about underlying conditions. The guidance also addresses the question of mandatory testing, which is not simply a question of data protection law, but also employment law. The ICO does not prohibit mandatory testing on data grounds, but rather suggests that those who are considering whether to make testing mandatory will need to consider industry-specific regulations and sector-specific government guidance. This will feed into whether such an approach is proportionate and necessary. Further organisations will also need to review their employment contracts and ensure that they are comfortable with the risk of a employment tribunal action should an employee claim that mandatory testing and any associated steps taken constitute a breach of their employment contract. The guidance notes that the government’s own testing scheme is voluntary, which is a factor that may be taken into account by a tribunal.

Security: Employers need to ensure that data is secure at all times. Given the sensitivity of health information, and the duty of confidentiality employers owe to their workers, businesses need to ensure that any data collected is secure and only shared with those few people that need to process the information in order to provide a safe working environment.

Transparency: It is a key principle of the GDPR that data controllers are transparent, and so employers need to ensure that they are clear, open and honest with employees. If a testing process is undertaken, employers need to inform employees about how their data is processed. The guidance recognises that it may not be possible to provide detailed information during this exceptional period, but as much information as possible should be given to data subjects for them to understand how their data is being processed.

Retention: Another key principle of the GDPR is that data should be stored for no longer than is necessary. Once the data become redundant, they should be deleted (for example, we would no longer need to know that an employee travelled to Northern Italy in late March). A benefit of deleting redundant data regularly is that there are fewer data potentially at risk of being the subject of a data breach.

Accountability and Data Protection Impact Assessments: While the ICO has previously said that it will follow a flexible approach to enforcement during this unprecedented period (see our earlier article ICO adapts its approach in light of Covid-19), the guidance warns that organisations will need to account for any processing and demonstrate compliance. The guidance is clear that it considers testing to be “high risk processing” and that a data protection impact assessment (DPIA) should be carried out prior to implementing any testing process. A DPIA should in particular set out: a) the activity being proposed; b) the data protection risks; c) whether the proposed activity is necessary and proportionate; d) the mitigating actions that can be put in place to counter the risks; and e) a plan or confirmation that mitigation has been effective. This document will be the first thing a regulator will ask you for if your testing process was ever called into question from a data protection perspective.

Communicating the results: The ICO guidance reminds us of its previous view that where an employee or visitor has tested positive, employers should where possible refrain from naming the individual. If naming that individual is necessary, organisations should not share more information than is strictly necessary.

Conclusion – workplace testing is possible in appropriate circumstances but take key compliance steps first

Given the tips given by the guidance on how to carry out compliant testing, it is clear that workplace testing is possible in appropriate circumstances.

However, what is right for one employer is not necessarily right for another. Circumstances should be considered on a case by case basis. Adopt the most appropriate approach for your working environment. Consider your circumstances, and ensure that any testing program follows the basic principles of: