ICO issues new guidance on COVID-19 workplace testing

The ICO has released guidance for testing employees for COVID-19 in the workplace. 

The guidance comes as England starts loosening some of its lockdown restrictions, including encouraging employees who cannot work from home to go into work.

ICO Guidance

Workplace testing clearly brings data privacy issues. The key points in the guidance include:

1. Lawful Basis for Processing

Health information is special category data under the GDPR. Therefore, there must be a lawful basis to process the data under both Article 6 (normal category data) and Article 9 (special category data) of the GDPR.

For the first of these bases, while all employers need to tailor their basis to their own organisation, the ICO suggests one option could be if the processing is ‘necessary for the organisation’s legitimate interests’. If relying on this ground, a written record of the issues considered should be kept.

For the additional ground of processing, while organisations could seek to rely on explicit consent, an alternative ground could be if the processing is ‘necessary for carrying out the obligations…of the controller…in the field of employment’. Employers have a legal duty to ensure the health and safety of their workforce, but whether this satisfies the threshold of “necessity” in the second ground will depend on the facts of the case and specific legal advice should be sought.

2. Accountability 

Organisations must be able to demonstrate their data privacy compliance and keep records. This can be done through a Data Protection Impact Assessment (“DPIA”). A DPIA sets out:

• The activity being proposed
• The data protection risks
• Whether the proposed activity is necessary and proportionate
• The mitigating actions that can be put in place to counter the risks and
• A plan or confirmation that mitigation has been effective

Where a DPIA is used, it should be reviewed and updated regularly.

3. Data principles

The GDPR requires that no more data is processed than is necessary for the specific purposes it was collected. A minimum amount of data should be retained. If an employee has a positive result, this data should be minimised in any communications (for example not naming the employee). To ensure the data is accurate, the ICO suggests recording the date of any test (as the test result could be inaccurate over time).

Transparently processing the data is key. Employers should be clear, open and honest on what data they are collecting and their reasons. Employees should also know what will happen with the data and how long it will be kept. This should be recorded in a privacy notice. 

Data should also be kept securely (including any information voluntarily given by staff if they have already been tested). 

4. Thermal testing of staff

For employers considering on site temperature tests or thermal cameras, they need to specifically consider its use and justification. Again, transparency is key. 

Specifically, employers will need to ensure this monitoring is proportionate, and if the same results could be achieved through less privacy intrusive means. To assist, the ICO and Surveillance Camera Commissioner have produced a template DPIA specific to surveillance systems.

Comment

Employers should review the guidance. The ICO will likely refer to it if it receives a complaint or notification of a data breach. The guidance helps strike a balance for employers between the need to provide a safe place of work and meet data privacy obligations. 

While the above guidance is helpful, there is no “one size fits all” for data processing. Employers need to consider how the above fits into their own organisation and, if they decide to undertake tests, how the tests will be conducted. Data processed must be kept to a minimum and any processing must be transparent.