Data protection issues on returning to work and Covid testing

The Information Commissioner’s Office (ICO) has provided new guidance to assist employers in staying legally compliant with regard to data protection issues, if they seek health information from staff in the workplace or undertake Covid testing.

A statement directly from the Information Commissioner was included in the guidance, where she confirmed that Data Protection legislation does not prevent employers from asking employees whether they are experiencing coronavirus symptoms, and it also does not prevent them from introducing testing. However, she reminded employers of the importance of acting with transparency, fairness and proportionality.

The following six key data protection steps were detailed in the guidance:

1) Only to collect and use necessary data

The ICO suggests that employers should ask the following questions when deciding if the collection of health data is necessary:

• How will collecting extra personal information help keep the workplace safe?
• Do we really need the information?
• Could the same result be achieved without collecting personal information?
• If we carry out coronavirus testing, will the test help to provide a safe environment?

The ICO also highlighted that there are extra requirements to comply with if employers carry-out coronavirus symptom checking or testing, including identifying the appropriate lawful basis for using the collected information, and that if health data is going to be processed on a large scale then employers will need to do a data protection impact assessment. See the following link for more information from the ICO on symptom testing and checking: https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/testing/

2) Keeping data collection to a minimum

The ICO assert the importance of not collecting more personal information than is required to implement measures ‘appropriately and effectively’. They also warn against unnecessarily creating permanent records where information needs only to be held on a temporary basis. This is a general principle of data protection law in any event, but it is worth remembering in the current situation.

3) Being clear, open and honest with employees about their data

The ICO is clear that employees must be told how and why it is proposed that employees’ personal information will be used. The guidance states that potential implications of data use should be outlined, including whether data would be shared with other parties and how long the information would be kept. It suggests referring to the employer’s Privacy Notice (if it has one). However, if the Privacy Notice is not detailed enough to apply to the current circumstances, the information above should still be provided.

4) Treat employees fairly

The ICO stresses that if any decisions are made about a staff member’s employment which are based upon health information collected about them, that decisions taken should be fair. The legal risks for an employer are higher where decisions result in detriment to employees or dismissal, and especially if actions could be discriminatory, even on an indirect basis. Inconsistency of treatment between individuals may also be a factor which can point to unfairness, unless that differential treatment can be legally justified.

5) Keep data secure

The ICO reminded employers that any personal data that is obtained must be kept securely, and urged them to consider having a retention policy which details how data will be reviewed, deleted or anonymised. It is also worth considering who will need to have access to the data and keeping access limited as far as possible.

6) Ensure staff can exercise their information rights

The ICO set out their expectation that organisations will inform individuals about their rights in relation to their personal data, such as the right of access to it or rectification of it, and give staff the opportunity to exercise their rights or internally raise any data protection questions or concerns they have. Concerns may be raised informally or as part of a formal grievance procedure and may include employees making Subject Access Requests to see the information that is being held about them.

The law and guidance in this area is likely to develop depending on how testing evolves, but in the meantime it is sensible for employers to be mindful of the above principles. While everyone wants to try to combat the virus and make their workplace as safe as possible, measures involving data collection do need to be measured and proportionate.