As businesses make plans for staff to return to the workplace after months of remote working due to the pandemic, the prospect of testing in the workplace raises some important data protection issues.
Can employers keep records of their employees' COVID-19 health status?
Yes.
All businesses need to ensure that they maintain their operations during the pandemic. As such it is essential that a record of their employees' health status is maintained so that the business can monitor who is, and who is not, available for work. The Information Commissioner's Office (ICO) guidance on workplace testing is clear that:
"Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people's personal data and ensure it is handled with care."
As long as the business adheres to data protection principles when collecting and storing this data, it is free to do so. Given that the data being collected relates to employees' health, particular care must be taken as it can only be processed by the employer is defined and restricted circumstances. Employers must ensure the processing is covered by a short policy document that outlines how the data protection principles will be complied with and how retention and deletion of health data will be managed, together with an indication of how long the data will be held.
It is essential to store the data carefully to protect the interests of the data subject and preserve confidentiality. Access to health records must be strictly limited, the records should be kept up-to-date, with irrelevant and out-of-date information destroyed securely.
Should employers revisit the privacy notices they provide to employees?
Yes.
The type of personal data being collected and the reasons for collecting this data will undoubtedly change in the light of the business's requirement to protect the health and safety of its employees due to the COVID-19 pandemic. Privacy notices are used to enable data subjects to understand how their data is used, what data is being processed, the reasons for processing, and why it is retained. Employers who are processing their employees' data in new ways or for new purposes are therefore required to update their privacy notices to make sure that this is transparent to all concerned. As part of this, it is important to communicate with employees about the new arrangements.
Will the rules for processing health data be the same across Europe?
No.
Many businesses have operations across Europe. Although the General Data Protection Regulation (GDPR) applies across Europe, the law allows for local variations in certain cases, which can govern, for example, the ability to monitor employees' health and check for symptoms of COVID-19, including temperature testing and transferring health data to a new jurisdiction. Businesses must, therefore, take advice on the position depending on the jurisdiction and what is planned.
In certain jurisdictions, employers are required to consult with employees about data issues through work councils. In the UK, there is not usually a requirement to consult about data issues, but if an employer is considering the introduction of new measures that affect the use of employees' data as part of the COVID-19 risk assessment, then employees should be consulted about those issues in that context.
Can employees be forced to take a test for COVID-19?
Maybe.
Many businesses are considering the introduction of testing for COVID-19 as a way to keep their staff safe. The starting point is that the data protection framework does not prevent employers from taking steps to keep their staff safe. While employers cannot usually require employees to undertake health testing, it may be possible, depending on the role the employee is performing, to require them to do so where there is a good reason for this.
Can employers require employees to have their temperature taken on arrival at work?
Yes.
As part of the measures to be implemented to protect employees' health and safety in the workplace, it is possible to require employees to have their temperature taken on arrival at work. If it is planned simply to check an employee or visitor's temperature on arrival at work, but not to retain a record of that check, then the employer is unlikely to be processing their personal data and so there is no need to comply with data protection principles.
If it is planned to retain the health data associated with the temperature check, it is important to ascertain the legal basis for processing the data, consider the accountability principle and use a Data Protection Impact Assessment to determine the necessity and proportionality of taking this step.
Businesses must consider how much importance to place on temperature testing as a way to protect employees' health; temperature is only one symptom of COVID-19. They should ensure that, if temperature records are retained, they are accurate, and that historical records are deleted, as this information will soon become obsolete.
What about using thermal cameras?
Maybe.
Businesses that are considering the use of thermal cameras to take the temperature of those arriving at a workplace should be cautious. Thermal cameras can be more intrusive than taking temperatures using a thermometer. Care must, therefore, be taken beforehand to assess the privacy risks associated with the proposed use of such cameras, how they work, what personal data they will process, and whether less intrusive alternatives are available, to make sure that the use of such technology is proportionate. This may mean employers must undertake a Data Protection Impact Assessment before committing to using this technology.
Can employers monitor remote working employees' productivity?
Maybe.
There is a concern that some employees may not have been as productive as possible during the lockdown. If this is found to be the case, what steps can be taken to monitor their productivity? Employers are neither expressly allowed to monitor employees' systems, nor are they prevented from doing so. The position has not changed because of COVID-19, but the justification for taking steps to monitor productivity may have.
The starting point, as with other areas where monitoring is intrusive, is to undertake a Data Protection Impact Assessment. Crucially, employees need to be informed that their productivity is being monitored. They need to understand in what circumstances their work will be monitored, what will be monitored, how the information obtained will be used, and what safeguards are in place for those who are subject to monitoring. This is because there is a clear expectation of privacy when people are at work.
In practice, employers should try to reduce the impact on staff by not monitoring the content of emails; rather, they should monitor the times when emails are sent, headings, and the number of emails to ensure workers are working productively. Employees should be told to mark private emails as such, and these should be excluded from the monitoring process.
Can staff be informed that a colleague has contracted COVID-19?
Yes, but the identity of the colleague must be kept confidential unless it is impossible to avoid disclosing this.
Maintaining the health and safety of staff is imperative. Employees must be notified of the risk of infection as soon as possible to protect their health and safety, but in doing so the employer should avoid disclosing the identity of the person who is unwell. The ICO guidance for employers on workplace testing provides that employers should not disclose more information than is necessary, and says that in most cases it will be unnecessary to name the individual.
Employers should, therefore, advise employees that a colleague who has been in the workplace has been infected and that appropriate precautions must be taken in line with the business' health and safety at work assessment.
Can employers share details of infected employees with the authorities?
Yes.
Health data can be shared where it is necessary for public health purposes and where data protection law would not stand in the way of making a disclosure where this is on the basis of a properly framed request. It is important to understand the basis for any request that is received and, once that has been clarified, to be clear about the lawful basis for sharing this data.
Employers do need to consider whether the request can be satisfied by providing anonymous data rather than specific data about employees. In the majority of cases it should be possible to satisfy the request by sharing anonymous data.
Can employers introduce a requirement that employees download and use a contact-tracing app?
Maybe.
In workplaces where it is difficult to guarantee social distancing, employers could introduce a requirement that employees who have a device provided by the employer download a contact-tracing app. The justification is that it is required to protect health and safety and minimize sickness absence.
If the employer intends to process personal data produced as a result of the employee using the app, it will need to have a lawful basis for processing this data and comply with the GDPR and the Data Protection Act 2018. This would include conducting a prior assessment of the risk of the processing. It is difficult to rely on consent in an employment context as the basis for processing data due to the inherent imbalance in the relationship between the employer and employee, and any legitimate interests grounds for such processing may be harder to justify where the nature of the solution proposed is not proportionate.
The issue is not straightforward. If employers are going to insist that employees use an app, they need to be confident that the app is secure so that health data will not be used for purposes other than as intended. It is questionable whether employers can require employees to use the app outside work, which presumably is essential for it to work. Doing so could infringe employees' privacy.
In practice, the employer will be forced to rely on the employee self-declaring if they have come into contact with someone who is infected. If employees who are required to self-isolate are paid statutory sick pay (SSP) this could be a deterrent to an employee who should self-isolate but has no obvious symptoms.
The ICO and government are likely to publish further guidance on contact-tracing apps and this will be helpful for employers considering the introduction of such a requirement to its workforce, given the complexity of the issue and the factors that need to be balanced.