Covid Testing in the Workplace

Covid testing in the workplace – can we do it?

On 29 March, lockdown restrictions eased and the “stay at home” message turned to “stay local”. Earlier in the year, the Government also extended its Covid workplace rapid testing programme to all businesses, regardless of employee numbers. With this context in mind we are looking ahead to the potential reduction in temporary work from home arrangements and thinking about how testing can be managed in compliance with the GDPR.

What do employers need to consider?

Given that the workplace rapid testing programme is free, it is likely that a lot of businesses will be thinking about whether or not to deploy it in their organisation. As a responsible employer there are probably a few things you will be thinking about from a data protection perspective:

  1. How do we find out whether or not an employee is displaying symptoms?
  2. Can we add Covid test results to a personnel record?
  3. If we decide to apply for rapid tests, can we ask employees to take one?
  4. Can we share the test results?

Where do we start?

If you considering making tests available to your employees, you should be clear about what you are seeking to achieve by doing so and if collecting special category data is necessary for that purpose. This means you should be thinking about:

  • Do we really need this information?
  • If we do not have this information, what would the consequences be?
  • Do we need this information for all employees or just some?
  • What is the minimum amount of data we need for the purpose?
  • Are there any alternatives to collecting the information (e.g. can employees continue to work from home instead)?
  • Will the working environment be safer if we had this information?

Conducting a Data Protection Impact Assessment will help here; it will both consolidate your thinking and demonstrate your accountability. The DPIA needs to be done before you start the processing and it should be kept up to date as/when/if things change.

It is necessary – what next?

As health data is special category data, you need both a legal basis for processing and a separate condition for processing.

  • Legal basis
    • Public authorities: the legal basis is probably going to be “public task”
    • All other organisations: It is pretty well established that consent is a difficult legal basis for employers to rely upon; this is because of the imbalance in the relationship – it could be said that an employee is unable to give freely given consent. So, it is likely you will be considering “legitimate interests”.
  • Condition for processing
    • There are probably two Article 9 conditions you will be looking at:
      • Article 9(2)(b) – the processing is necessary for the purposes of carrying out your obligations as an employer, or
      • Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
    • Both of these conditions also require you to apply a condition under Schedule 1 of the Data Protection Act 2018.

Now what?

Your DPIA has clarified the extent of the personal data you need to collect and confirmed how the activity can proceed, and you have determined your legal basis. You now need to think about how to communicate the activity to your staff. Here you should be addressing:

  • How do I communicate clearly and effectively what our purpose is here and why we think it is necessary?
  • Would it be appropriate to explain our decision making?
  • How long are we going to keep the information and how can staff get access to it in the future?
  • What if our staff have concerns; how are we going to assuage those and ensure they are empowered to exercise their privacy rights?

If you are open and honest with your employees in the privacy information you provide to them, not only will you be satisfying your transparency obligations under the GDPR, you may also find that they will be more likely to want to participate in the activity.

We have started testing; what can we do with the results?

Provided that you think it is necessary and proportionate to do so, you will probably store the results against everyone’s personnel file. But you need to be mindful that they may take tests again in the future (of their own volition or through additional workplace testing) which means being particularly aware of your obligation to keep their records up to date.

You have a responsibility under health and safety legislation to report cases relating to Covid-19 in the workplace. You will also need to inform your relevant local authorities when there are two or more cases confirmed as this is deemed to be an outbreak. In all cases of data sharing, you should:

  • only share what is necessary and proportionate,
  • always be clear on your legal basis for sharing,
  • ensure everything is documented for future reference (e.g. in your record of processing activities).

Seek advice

Get in touch now if you need more detailed advice and support in this area. You can also find more information on the ICO’s hub (found here). In terms of employment law specifically, this is a complex area and we strongly advise that organisations take advice from ACAS and/or seek specialist legal advice.