The United Kingdom's Information Commissioners Office has issued guidance for employers on data protection issues related to the return to the workplace as part of the COVID-19 "new normal."
General Principles
Legal Basis
- Testing for symptoms is processing of personal data and subject to the General Data Protection Regulation (GDPR).
- For private employers, legitimate interests is likely to be the appropriate legal basis for processing
- For health data, employers must also identify an Article 9 condition for processing (e.g Article 9(2)(b) - employer's obligations on health and safety).
Data Minimization
- For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfill your purpose.
- In order to not collect too much data, you must ensure that it is: adequate – enough to properly fulfill your stated purpose; relevant – has a rational link to that purpose; and limited to what is necessary – you do not hold more than you need for that purpose.
Transparency
- Be clear, open and honest with employees from the start about how and why you wish to use their personal data.
- Have clear and accessible privacy information in place for employees, before any health data processing begins.
- The ICO recognizes that in some cases it may not be possible to provide detailed informationi in advance.
Data Subject Rights
- Ensure that staff are able to exercise their information rights.
- Put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis.
- For example, setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate.
Employee Testing: Possible, But
Transparency
- Be clear about what decisions you will make with that information.
- Before carrying out any tests, you should at least let your staff know:
- what personal data is required
- what it will be used for
- who you will share it with
- how long you intend to keep the data
- If possible, provide employees with the opportunity to discuss the collection of such data if they have any concerns.
Data Protection Impact Assessments (DPIA)
You should conduct a DPIA for the testing. This DPIA should set out:
- the activity being proposed
- the data protection risks
- whether the proposed activity is necessary and proportionate
- the mitigating actions that can be put in place to counter the risks
AND
- a plan or confirmation that mitigation has been effective
Data Minimization
- For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions.
- Consider which testing options are available, to ensure that you are only collecting results that are necessary and proportionate.
- As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.
Temperature Checks/Thermal Cameras: Possible, But
- As this is more intrusive technology, give specific thought to the purpose and context of its use and be able to make the case for using it.
- Make sure that any monitoring of employees is necessary and proportionate, and in keeping with their reasonable expectations.
- Think about whether you can achieve the same results through other, less privacy-intrusive means. If so, then the monitoring may not be considered proportionate.
- You can use the surveillance camera DPIA template to this end.
Maintaining Lists of Employees who Tested Positive: Possible, But
- Ensure the use of the data is actually necessary and relevant for your stated purpose.
- Ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.
- Ensure that such lists do not result in any unfair or harmful treatment of employees (e.g. from inaccurate data or data which isn't up to date).
- Don't use the data for any purpose which is not reasonably expected.
Disclosing an Employee's Condition: Possible, But
- Keep staff informed about potential or confirmed COVID-19 cases among their colleagues.
- However, you should avoid naming individuals if possible.
- Do not provide more information than is necessary.
Receiving Test Results from an Employee: Possible, But
- Have due regard to the security of that data.
- Consider any duty of confidentiality owed to those individuals who have provided test results.
- Make sure your use of the data is necessary and relevant.
- Do not collect or share irrelevant or excessive data to authorities if this is not required.
Additional Information
UK ICO: Workplace Testing – Guidance for Employers
[View source.]