Covid-19 – Workplace Testing and Monitoring
The ICO has published guidance on Covid -19 workplace testing and monitoring. Whilst some organisations have been engaged in testing for several weeks now, others are planning to return to the workplace and have questions about what is and isn’t permissible. The guidance provides some clarity and reiterates earlier guidance regarding the approach to regulatory action published in March which requires a proportionate response.
The ICO states that “As long as there is a good reason for doing so, you should be able to process health data about COVID-19”. It also makes it clear that temperature checks or thermal cameras as part of testing or monitoring of staff will be permissible provided it meets the ICO’s requirements.
Data about the health of workers including test results is “special category data” under the GDPR. As such it is given specific additional protection. Not only must there be a lawful basis for data processing (such as legitimate interests), there must also be a condition for processing. Conditions include explicit consent and employer obligations as regards health and safety in the workplace.
The ICO has produced a template (accessible on this page under “is there a template I can use?) in which to record rationale and planning in a Data Protection Impact Assessment. This will generally be the first step in considering and recording whether the proposed activity is necessary and proportionate.
Workers (particularly key workers) may be encouraged or requested to undergo testing and report their results. Consideration will need to be given to the extent to which this can be a requirement of their employment. As the ICO highlights, there are many other factors to consider such as employment law, contracts with employees, health and safety requirements and equalities issues.
Employers’ approach should bear in mind Government advice at the relevant time and it will be necessary to keep arrangements under review as we progress through the pandemic.
Key issues when considering what measures can be implemented follow the ICO‘s approach to the processing of data generally:
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.