Organisations should avoid simply diving into workplace Covid testing or collection of home testing results without some real thought into the implications of it. This article will allow you to consider whether it's really necessary and ensure you think about your data protection obligations.
Any testing of COVID-19 or collection of any test results from lateral flow tests for example, relates to an individual’s heath and therefore it is regarded as “special category data” which ultimately means additional safeguards are required. Organisations should ensure the data is well looked after, handled with care and kept secure. It shouldn’t be shared with any un-authorised parties.
Workplace Covid Testing & Transparency
You should ensure employees know absolutely everything about your testing or collection of their test results. As a minimum you should be clearly informing them of why you’re collecting the testing information, what decisions you’ll be making with the results, what you’ll be using it for, how long you’ll be retaining it, how you’ll keep it safe and who you’ll be sharing it with. You’re required to have a policy detailing any processing of special category data across the organisation.
Accuracy
You have a requirement to keep personal data up to date so it would be wise to record the dates of any tests.
Is Workplace Covid Testing Necessary?
Start by addressing key questions before embarking on Covid-19 testing:
- What is your purpose in requiring the testing?
- Do you really need the testing?
- Will the testing actually provide a safe environment?
- Could you achieve your purpose without requiring testing, such as using other reasonable methods like social distancing, mask wearing and working from home?
Data Protection laws are clear that you should consider less intrusive ways of achieving your purpose before processing special category data. If you decide testing is necessary then make sure you have controls around this. Can you confine testing to the highest risk roles as opposed to blanket testing? Can you limit access to the data to particular senior personnel?
Lawful Basis & Condition for Processing
To process any personal data you need a lawful basis. To process special category data, you need to rely on an additional condition. Therefore to implement testing or collect an employee’s test results you’ll need to decide and have documented what lawful basis and additional condition you’re relying on.
Lawful Basis - You’re likely to use “public task” (for public authorities) or “legitimate interests” (private and public organisations). The latter probably being more common. You should ideally put together a legitimate interest’s assessment when relying on this lawful basis for the processing.
Additional Condition – There are 2 conditions you’re likely to rely on:
- The employment condition - this may apply to organisations that are testing under their employer health and safety conditions.
- The public health condition – this includes employers who are helping to stop the spread of the virus by running their own testing programmes and reporting results to relevant public health contact tracing authorities.
Data Protection Impact Assessment
Introducing workplace testing or the requirement for lateral flow tests will create data protection risks, which is why it is imperative to undertake a data protection impact assessment BEFORE you implement testing. This will identify risks and ensure you’re doing all you can to limit any breaches of data protection and it will be the deciding tool you use as to whether you can safely implement the testing.
Should you inform other staff of positive results?
Yes, but you should avoid naming the individuals and give no more information than is absolutely necessary.
Symptom Checking
Even if you’re just checking the temperature of staff or customers and not recording it, you’re still “processing” special category data. High temperature results could have negative effects on the person being checked so you need to be able to justify the use of a temperature test & assess its effectiveness. Only undertake this if you’re satisfied you have a lawful basis & there is no less intrusive way of achieving your purpose.
Staff questionnaires about symptoms or collection of positive lateral flow test results is also special category personal data that you’re collecting, and you should revert to the data protection principles outlined in this article and undertake a data protection impact assessment before implementing this measure.
Don’t forget – the
ICO (Information Commissioner’s Office) can issue very high fines for breaches of data protection rights.
If you’re a Wirehouse GDPR client, speak to us today regarding any further questions, help with undertaking your data protection impact assessment or if you require a policy template for your special category data processing. If you are not a Wirehouse client, contact us for guidance surrounding data protection relating to workplace covid testing and details of our GDPR service.
