UK: ICO issues new guidance on COVID-19 testing and monitoring in the workplace

The Information Commissioner’s Office (“ICO”) has published guidance for employers on complying with data protection law when taking steps to manage Covid-19 health and safety risk in the workplace  (“Guidance”). The Guidance focuses on ‘testing’ of employees (which includes collecting data about symptoms and the conducting of temperature checks, and well as collecting data about Covid-19 test results), but also touches on other measures which businesses might be considering in order to monitor employee movements within the workplace.

The Guidance  – which is especially timely given that many UK businesses are now actively planning or initiating “return to work” strategies – forms part of the ICO’s ongoing programme of guidance on data protection and the coronavirus pandemic.

Key takeaways

  • Data protection law is not an absolute barrier, but steps must be ‘necessary’

Consistent with its previous coronavirus guidance, the ICO is keen to stress that data protection law does not prevent employers from taking steps to keep staff and the public safe and supported during the current pandemic. However, the Guidance is clear that the GDPR and Data Protection Act 2018 (“DPA 2018”) will apply to any personal data processed as a result of testing.  This means that the usual data protection principles apply.  It also means that employers must be able to show that the steps that they take are a necessary and proportionate response to the pandemic, as it specifically impacts their business.  Clearly, many physical health and safety measures that employers can adopt will not require the collection of personal data.  Consequently, where privacy intrusive measures are contemplated, there must be a justification for using them in place of, or in addition to, less intrusive measures.

  • Appropriate lawful basis

To the extent that the collection of health data (such as symptom declarations or test results) is necessary and proportionate, the Guidance clarifies that employers should be able to rely on Article 6(1)(f) of the GDPR – “legitimate interests” – as the legal basis for processing personal data as a result of testing. As the processing of health data (known as ‘special category data’) requires a legal basis under both Article 6 and Article 9 GDPR, the Guidance indicates that employers should consider relying on Article 9(2)(b) GDPR, along with Schedule 1 condition 1 of the DPA 2018 – i.e. necessary due to an employer’s health and safety at work obligations.  The Guidance states that this condition will cover most of what employers need to do, as long as employers are not collecting or sharing irrelevant or unnecessary data.   A joined-up approach is therefore required between those managing data protection compliance, and those responsible for the health and safety analysis which identifies the need for heightened measures in particular locations or contexts.

  • Retaining and using information about infected employees

The Guidance confirms that an employer can keep a list of employees who either have symptoms or have been tested as positive for Covid-19, but only where this  processing is necessary and relevant for the employer’s stated purpose.   In some cases, e.g. screening for symptoms or positive test results in order to determine whether to grant access to a building, it may not be necessary to retain any data beyond that moment in time.  However, if maintaining an ongoing record is necessary (e.g. in order to provide employees with access to further healthcare support), then employers must take particular care to ensure that such lists do not result in any unfair or harmful treatment of employees, e.g. due to inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time.

  • Sharing of data about infected employees

Whilst the Guidance confirms that it is acceptable to keep staff informed about potential or confirmed Covid-19 cases amongst their colleagues, the Guidance also indicates that naming a specific individual in this context should only be done where genuinely necessary.

The Guidance is clear that if it is necessary to share information with authorities for public health purposes or with the police where necessary and proportionate, then data protection law will not stop employers from doing so. The Guidance also goes further by stating that employers should take into account the risks to the wider public which may be caused by failing to share information.

  • Monitoring safe distancing

Aside from the collection of test results and symptom data, businesses may also be contemplating using technology to monitor the movement of employees within the workplace, in order to help design or enforce safe distancing measures.  Various mechanisms exist to do this, including physical devices worn by employees.  However, the Guidance touches on the particular issues associated with the use of surveillance camera equipment, including thermal imaging and traditional CCTV.  The Guidance does not rule out the ongoing monitoring of staff in this way, but is clear that, again, any monitoring of employees must be necessary and proportionate, and in keeping with an employee’s reasonable expectations.   It may, therefore, be difficult to justify such a measure in the absence of any indication of noncompliance, or in a workplace where the maintenance of safe distancing should not be problematic.

The Surveillance Camera Commissioner (SCC) and the Information Commissioner’s Office (ICO) have updated the SCC DPIA template, which is aimed at assisting employers when considering the use of thermal cameras or other surveillance during the pandemic.

  • Further recommendations

The Guidance is clear that where employers are intending to carry out any of the activities referred to above, obligations set out in the GDPR and DPA 2018 must be complied with, in particular, employers should:

  • be clear, open and honest with employees from the start about how and why their personal data will be used and what decisions will be made with any testing information. Where possible, employers should provide clear and accessible privacy information to employees before any health data processing begins and, as a minimum, let staff know what personal data is required, what it will be used for, and who it will be shared with prior to carrying out any testing;
  • ensure that staff are able to exercise their rights under the GDPR. The Guidance suggests putting specific processes or systems in place that will help staff exercise their rights during the Covid-19 crisis;
  • ensure any information processed as a result of testing is kept secure and confidential;
  • in the context of test results, limit the nature and volume of personal data processed to that which is absolutely necessary and proportionate e.g. an employer will probably only require information about the result of a test, rather than additional details about underlying conditions;
  • only retain information for as long as it is needed. To ensure the personal data remains accurate, employers should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid; and
  • carry out a data protection impact assessment to record the risks and mitigation steps taken prior to carrying out any testing.

Andrew Dyson, James Clark and Rachel de Souza, DLA Piper UK LLP