COVID-19 testing and data protection

We look at some of the data protection issues around testing employees at work for COVID-19.

It is likely that the full return of employees to their ‘pre-COVID 19’ workplace is going to be a long and sometime tricky process. It may also be that further national or local outbreaks could result in new measures coming into place that require employers and employees alike to carefully consider where employees can work and how they can do so safely.

As part of this long process, some employers are considering the need and/or benefit to arrange in-house testing of their employees, or to require employees to undertake regular testing and to provide evidence of their results. This raises a range of legal and employee relations issues, including important, but often over-looked, data protection issues.

The Information Commissioner’s Office (ICO) has published some very thorough and useful guidance on these issues and all employers faced with these issues should consider that guidance.

Data protection implications

By collecting, storing and using employees’ test results, the employer is processing data concerning their health. This is ‘special category data’ (what used to be referred to as ‘sensitive data’) and requires additional safeguards to the personal data that an employer might process in the day-to-day course of the employment relationship.

As a rough summary, an employer must be able to show that:

  • there is a legal basis for processing the relevant data
  • the data is necessary and relevant to the main objective
  • they appreciate the risks or impositions upon any individual’s personal data rights and have sought to address those
  • adequate steps are in place to ensure the security and integrity of the special category data
  • it will not be stored for any longer than required, and
  • the employer has informed affected employees of the need to collect the data, the process by which it is collected and employees’ rights in respect of the data

The potential implications of collecting testing, or even vaccination, data are very serious. However, it is also worth remembering that data protection laws are not intended to prevent employers taking action to ensure the safety of their employees and the workplace. It is key, therefore, that employers demonstrate an appreciation of the relevance of the data protection issues, and that they demonstrate the steps that they have taken to protect the data rights of employees and third parties.

Q: Can we require employees to undertake tests and collect details of the results?

A: Potentially, yes.

However, whilst this might sometimes seem like an effective way of creating a ‘COVID-safe working environment, employers should first really scrutinise why they need to, and why they need their employee’s data for this:

  • Is compiling a database of test results really necessary for the business?
  • Is there any reason why the business cannot rely upon the honesty of its employees and the usual test and trace procedures to confirm if anyone is impacted by a positive test result?
  • Is imposing this requirement going to be good for employee relations?

There are many circumstances in which it may be appropriate, or even necessary, for an employer to collect and process the results of their employees’ tests. COVID-19 remains a ‘notifiable’ disease, and so certain obligations fall upon an employer to prevent its spread and to report an outbreak. Likewise, there may be circumstances where there is legitimate business need to know if any employee has the virus, or a need to protect other employees, customers, production or the public. In short, the steps must be necessary and reasonable.

Q: We want to ask employees to undertake weekly testing and to tell us the results, what should we do?

A: Complete a data protection impact assessment and identify any potential data protections issues and solutions.

As with any exercise that might impact upon data protection, the business should complete an assessment and document it. It should demonstrate that the employer is aware of the issues involved, and how they propose to deal with them.

If the assessment demonstrates that any proposal might seriously breach employees’ data rights, then the employer must be prepared to amend their proposal, or to justify why any risk of a breach is justified.

If the decision is then to proceed and to require testing, it is sensible to inform the affected employees early and with full information and explanation.

Q: All our staff have consented to testing - is that enough?

A: No.

Although it is nice to have, employers should never rely upon an employee’s consent to collect and process their data.

Consent must be (a) freely given, and (b) just as freely withdrawn. It is very hard to show that an employee has ever truly freely given their consent when asked by an employer to process their data, as there is always a risk the employee felt obliged to agree as part of their job. In addition, even if they have genuinely consented, thinking that testing is a good idea, they could just as easily change their mind in the future and withdraw the consent, leaving you with no basis or authority to process the data.

Having said that, it would still be sensible to seek an employee’s agreement to testing from an employee relations point of view.

What is the legal basis for testing employees and collecting the results?

A: As long as the employer can show a legitimate reason for testing and collecting the results, it is likely they can rely upon a ‘legitimate interests’ justification.

As the test results are health data, or special category data, the Data Protection Act imposes additional conditions that must be met for processing. These are set out at Schedule 9 and employers should be familiar with these, or take relevant advice before they impose any testing requirement.

Generally speaking, however, private employers should be able to rely upon ‘legitimate interests’, including satisfying health and safety requirements, as the justification to collect and process the data. For this the employer must be able to demonstrate that they have a legitimate reason to collect the data in the first place, and that they are collecting the minimum amount of data necessary and not retaining that data for any longer than necessary.

Q: If someone returns a positive test, can we disclose that to other employees?

A: Yes. You can notify them that there has been a positive test if that could potentially have an impact upon them, but you should be very careful about disclosing any further information.

There may even be situations that arise where there is an obligation on employers to inform employees, or even third parties, that there has been a positive test. As with any situation, obligations on people to isolate if they have been in close contact with anyone who tests positive remain. Plus, as already mentioned, COVID-19 remains a notifiable disease and employers will need to notify the relevant authorities in the event of an outbreak.

However, these obligations themselves would not necessarily justify or require an employer to undertake in-house testing. The existing test and trace arrangements should ensure that any employees who have been in contact with a colleague, supplier or customer who has a positive test result are notified and advised if they need to isolate.

Even if you do complete your own testing, ensure that you only disclose the minimum amount of information and data as is necessary. For example, an employer can notify individuals of a positive test result and any steps they should take without disclosing the name of the employee who has the positive test.

Where an employee has voluntarily informed the business of their test results, all of the same issues apply as if the employee was subject to mandatory testing. The business must assess whether or not they need this data and, if so, on what basis they can justify keeping it, what they will do with it, how they protect it and how they dispose of it. If there is no justifiable need to retain the information, it should be deleted.

Q: If we do in-house testing, must we have a specific policy to cover this?

A: Strictly speaking, no. However, this may well be a good idea and best practice.

Key requirements of the data protection legislation are transparency and accountability. It is important that a business informs its employees, customers, suppliers etc of precisely what data they may collect, why, what they will do with it, how it will be stored and how it may be destroyed. The business is also obliged to have systems in place to protect and manage the data, and to deal with any breach or other problem should it arise, and for relevant people to know those systems and to implement them.

All of this information could be set out in a privacy notice, or in correspondence with the employees. However, it is arguably best set out in a policy that is accessible to anyone, regularly reviewed and updated as necessary.