On May 11, 2020, the UK Information Commissioner’s Office (ICO) published guidance on how employers should handle data in the event they choose to test their employees for COVID-19 on return to work.
What is the guidance about?
As slow returning back to work is beginning, managing ongoing health and safety risks for the return to work pose data protection challenges for employers and occupiers of buildings. They face with difficult choices about who to admit to premises and how to ensure they are free from COVID-19.
Even though social distancing rules are likely to continue in the buildings, further health and safety measures are needed to ensure employees stay safe. For that, detailed and practical planning is needed to ensure such health and safety measures are implemented taking into account data protection implications of such measures.
The guidance provides for reminders that processing of personal data requires compliance with the GDPR and any relevant national law as well as guidance on which measures can be implemented and which cannot. Further, it clearly states that in cases similar to the current situation that require processing of health data which is categorised as ‘special personal data’ under the GDPR, processing must be done more carefully.
Under the GDPR, such processing can take place but even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.
The full guidance can be found here.
How should employers handle personal data?
One of the main principles of the GDPR is that processing must be lawful. It is provided in the law that processing shall be lawful only if and to the extent that there is a lawful basis for the specific processing of personal data. For COVID-19, the guidance notes that for public authorities carrying out their function, ‘performance of a task carried out in the public interest’ can be an applicable basis and for other public or private employers, ‘legitimate interests’ can be applicable.
However, each industry, workplace, employer and employee and respective appropriate measures will be very different. Therefore, each situation must be looked at individually and assessed on its own merits for the basis to be used.
Additionally, as a general rule, health data as special personal data cannot be processed. To be able to process such data, employers must identify one of the exceptions defined in article 9 of the GDPR. In accordance with the guidance, the relevant exception will be the employment condition which covers health and safety obligations of employers and will be adequate ground to process health data as long as employers are not collecting or sharing irrelevant or unnecessary data.
How to ensure compliance with the GDPR?
Key part of accountability under the GDPR is the requirement to do a Data Protection Impact Assessment (DPIA). DPIA is a requirement when a processing is likely to result in a high risk to the rights and freedoms of individuals. Given that testing and processing health information is likely to result in high risk to the rights and freedoms of employees, a DPIA should be carried out prior to processing personal data such as by implementing temperature checks, to identify high risk areas.
This DPIA should set out:
Additionally, exceptions allow for processing of sensitive personal data without consent of data subjects, however, the need for confidentiality, data minimization, purpose limitation and data security still applies. Meaning that it must be ensured that:
1. only enough personal data to fulfil stated purpose must be collected, it would not be permissible to ask employees about their underlying conditions;
2. the collected data has a rational link to that purpose; and
3. it is limited to what is necessary –employers do not hold more than needed personal data for that purpose.
When keeping data, employers are advised to ensure that test results including dates of test results are kept securely and accurately because health status of employees change over time and those test results may not be valid anymore. This is also vital to prevent issues concerning possibility of unfair or harmful treatment to employees because inaccurate or changing test results may cause discrimination against some employees.
Employers should keep staff informed about COVID-19 cases in the premises and take protective measures, but should not communicate more information than necessary and proportionate. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected. Regarding any test results that are voluntarily disclosed, employers should have due regard to the security and confidentiality of that data and should keep minimum data relating to the test result.
In managing ongoing health and safety risks for the return to work, all controllers and processors must be more careful as their obligations under GDPR still continue and the processing of special personal data should be treated in accordance with GDPR and relevant national laws.