Coronavirus Workplace Testing – Personal Data implications

The Information Commissioner’s Office (ICO), the UK’s data governance body, has issued guidance for employers to rely upon should they decide to test employees for Coronavirus or its symptoms.

Clearly, the medical information of employees is of paramount sensitivity which must be protected by the employer by additional safeguards and further layers of fortification.

During the current pandemic, a lot of businesses, quite understandably, may not seek to actively consult the provisions of the Data Protection Act 2018 (DPA); having been more focused on maintaining its workforce and continuing to trade.

To save you time reading them chapter and verse, we’ve summarised below the ICO’s key points on how much you ought to consider data protection of your employees if you want to introduce workplace testing:

1. Which lawful basis (under the DPA) can I use for testing employees for Coronavirus?
   You may process employees’ health data regarding Covid-19 provided you have a good reason for doing so. It would likely fall into the ‘legitimate interests’ (one of the six lawful basis’) basis for processing personal data, as plainly, by testing and tracing Codiv-19 in the workplace, you have a more empirical reason for following the Governments’ guidance on putting in place measures to protect your staff and customers.
2. How can I implement testing for Coronavirus whilst complying with data protection?
   You should consider completing a ‘Data Protection Impact Assessment’ to assess and monitor the risks to personal data when testing for Coronavirus. The ICO have produced a helpful template of a DPIA , although it is encouraged that this template should be modified for your specific business and testing protocol.
3. Can I record the names of employees who have been tested as positive for symptoms?
   Yes. So long as you keep the data secure and that you only keep the data for purposes for which it was originally collected and only for so long as necessary. You should not use this data for any other purposes.
4. What and how do I tell my employees who I want to test?
   You should be upfront and honest in your approach, as everyone should be aware of the risks and seriousness of the current pandemic. Be clear on how you will use the personal data they provide about their symptoms and reassure them that all information is given in confidence and will remain secure only for as long as in necessary. You should ask your staff what information you want from them and let them know who you might share the data with (e.g. appropriate health care professional).

If you have any questions on Coronavirus testing, contact a member of our Regulatory team on 01484 519 999 for a chat on how we can help your business become #CovidCompliant.