Coronavirus Hub

Guidance for employers has been published by the ICO on testing employees for COVID-19 and how they should handle data.

The guidance, in the form of Q&As, reaffirms the requirement to comply with data protection law, in particular the GDPR and the Data Protection Act, i.e. handling personal data ‘lawfully, fairly and transparently’. Providing that the employers are responsible and compliant with employees’ personal information, data protection laws do not prohibit employees from testing.

Regarding employers’ legal basis for testing employees, the guidance highlights the ‘public task’ basis of the GDPR for public authorities carrying out their function, and the ‘legitimate interests’ basis for public and private employers.

Because test data is sensitive medical data, it is classed as ‘special category data’, so subject to more stringent protection requirements. These include producing a data protection impact assessment (DPIA) and keeping detailed records of how data is categorised and documented. A DPIA should set out:

• the activity being proposed
• the data protection risks
• whether the proposed activity is necessary and proportionate
• the mitigating actions that can be put in place to counter the risks
• a plan or confirmation that mitigation has been effective