Inviting employees to return to work during the Coronavirus pandemic has proven challenging. Just as organisations were encouraging their employees to return, UK government advice has changed again, and employees are being told to work from home if they can.
However, not all organisations can do this due to the nature of their business. Where staff must attend on site, employers are understandably focusing on health and safety.
But what measures can organisations reasonably take to support their return to work efforts; and how do they ensure that data protection laws are complied with when more sensitive personal data, such as health data, is collected? In this blog we’ll cover some of the key considerations.
You do not need to ask for your employees’ consent to carry out the processing. In any event such consent would not be valid due to the imbalance of power between the employer and employee (i.e. the employee may feel pressured to sign because they fear there will be repercussions if they don’t).
Article 9(2)(b) of the GDPR and Schedule 1(1) of the Data Protection Act 2018 already provide employers with the lawful basis they need to process the information; the processing is necessary for purposes relating to their employment. However, there is a qualification to this is which is that the processing must be necessary to achieve your purpose.
In practice this means that before taking any further steps, you must ask yourself whether this additional processing of employee personal data is justified and proportionate.
Is Processing Necessary?
As a first step you should consider whether you could achieve your aim of protecting employees against COVID-19 using methods that do not involve the collection of personal data (for example staggering start and finish times; placing workstations 2 meters apart; installing screens between desks; encouraging more staff to work at home).
If the nature of your industry makes these measures impractical or impossible (for example, because you have employees that work in public facing roles where it is difficult to socially distance, such as hospitality or care workers) then you may be able to make a stronger case that the processing of personal data is a necessary step. However, it is important to keep proportionality at the forefront of your mind here, so for example, if it’s your assessment that only some employees are at higher risk then you should restrict the exercise to those individuals.
Data Protection Impact Assessment
Before collecting any data you should carry out a Data Protection Impact Assessment (DPIA) to identify and evaluate the potential risks of using your employees’ data for this new purpose and set out the measures you will put in place to mitigate those risks.
A DPIA is critical. It will help answer the question on whether the processing is necessary and proportionate (e.g. is workplace testing really necessary if other measures, such as those covered above, are in place?) and allow you to mitigate any identified risks.
Covid-19 Workplace Testing
If you wish to organise for your employees to take Covid-19 tests then you should ensure that they are provided with clear and transparent information up front about how you will use that information and who you will share it with.
Transparency is key. You should therefore issue your staff with a privacy notice which clearly explains what decisions will be made using that information, who will have access to the data and how long it will be stored. Make sure you inform your employees of the change before you begin any testing.
You should only make testing compulsory if you are satisfied that this is the only viable means to achieve your aims. If the same goal could be achieved by voluntary testing, then you should follow that route instead. You should also keep in mind that factors outside data protection legislation may also come into play, such as industry regulations, employment contracts and equality laws.
Whichever testing regime you choose to follow, you should take care that you do not discriminate against employees based on whether they have, or have not, taken a Covid-19 test.
When testing, you must only gather the minimum amount of information you need to achieve your aims. Access to test results should be restricted to those with a need to know, such as line manager or medically certified professionals. If an employee tests positive, then the employer should take whatever steps are necessary to keep its workers safe but without revealing the identity of the employee in question.
Underlying Health Conditions
If you intend to collect information about employees’ underlying health conditions as part of your assessment, then you must be very careful to do this in a fair and proportionate way. You should therefore only gather the minimum amount of data you need to identify the employees who are at highest risk. For example, you could create a simple form that only requires the employee to give a yes or no answer as to whether they have a relevant underlying health problem. There is no need to ask them to describe the condition in question.
If you want to use your existing HR records to identify employees who have underlying conditions then we would advise that you seek their consent first as you will be using their data for a purpose other than which it was originally collected.
Using CCTV and Thermal Cameras
Employers may be tempted to make use of CCTV cameras as a means to monitor whether staff are complying with social distancing rules or even for track and trace purposes. However, this would raise some thorny data protection issues as staff monitoring is very intrusive and employees still have a right to a private life at work.
We would therefore recommend that the employer carry out a DPIA before going down this route. Again, the key question the employer must ask itself is whether such a measure would be proportionate and justified in the circumstances, and would the negatives benefits outweigh the impact on employee privacy?
The same principle of conducting a DPIA exercise would also apply if an employer was considering introducing other monitoring technologies such as installing thermal cameras to keep track of employees’ temperature.
You should ensure that access to this data is restricted to those who have a ‘need to know’ such as HR. There may be circumstances where there are compelling public health grounds to disclose to others, but these must be considered on a case by case basis.
Storage and Retention
You should ensure that the details you hold about employees’ state of health and test results are kept up to date so that your decisions are based on the accurate and up to date information. This will be particularly important as there may be situations where a member of staff has been tested twice and shown different results or recovered from the virus having previously shown symptoms.
You should only retain the data for as long as is necessary to safeguard your employees’ health and wellbeing during the pandemic.
It is important to keep in mind that the guidelines for Covid-19 testing and employee monitoring may vary across different jurisdictions.
For example, in Germany it is not permissible to monitor employees’ temperature, whist in Italy companies can only organise staff testing if this has been agreed by a medical professional.
This being the case, if your company has sites overseas then you will need to check whether your proposed testing regime is compatible with the legislation in those countries.
Finally, remember that all employee personal data, including workplace testing information and assessments will be in scope if an employee makes a subject access request that asks for their personal information.
If you need help with workplace health assessments / testing for Covid-19 purposes, your starting point is the Information Commissioner’s Office (ICO) guidelines on workplace testing, available here.
We can also help if you need support. Please get in touch if you’d like input or assistance.