Employee health screening and data protection

Back
Healthcare employee wearing mask

There are variations in approach taken by the UK Government and the three devolved administrations in Scotland, Wales and Northern Ireland when it comes to employee health screening. This means that employers should ensure that they comply with the relevant local requirements for each of their premises, including any local differences that may be introduced.

When its employees return to work, if a business wants to carry out an employee health screening to check whether they have symptoms of COVID-19 or the virus itself, there will be data protection implications. This is because such tests will involve the processing of information that relates to an identified or identifiable individual. That means handling it lawfully, fairly and transparently. In fact, if, as is most likely, screening relates to health data it must be even more carefully protected due to the fact that it is “special category” or sensitive personal data.  Businesses will also have to make sure that they have an appropriate policy document in place.

Handling data lawfully means being able to rely on a legal basis, as provided for in the GDPR.  Although this basis could be relying on employee consent, this is fraught with difficulty. This is because an employee might feel he/she has no real choice but to agree. The consent would therefore be deemed invalid.

However, there is an alternative – businesses have a legal obligation to ensure the health and safety of their workplace, which means that they have a ‘legitimate interest’ in carrying out screening and can rely on this as a legal basis (as long as they are not collecting or sharing irrelevant or unnecessary data).

Note that what is relevant and necessary data to collect may change as government guidance is modified, so care needs to be exercised.

In addition, to show that the processing of data obtained from screening is compliant with the GDPR, a business will need to take note of the accountability principle – which makes businesses not only responsible for complying with the GDPR, but also says that they must be able to demonstrate their compliance. One way of demonstrating accountability is through a data protection impact assessment (DPIA).

If your organisation is going to undertake testing and process health information, then you should conduct a DPIA focussing on the new areas of risk.  This DPIA should set out:

  • the activity being proposed;
  • the data protection risks;
  • whether the proposed activity is necessary and proportionate;
  • the mitigating actions that can be put in place to counter the risks; and
  • a plan or confirmation that mitigation has been effective.

Transparency is very important – if a business wants to test employees for COVID-19 or check for symptoms, it should be clear about what decisions it will make with that information. In addition, it should have clear and accessible privacy information in place for employees, before any health data processing begins. (Although the ICO acknowledges: “We recognise … that in this exceptional time it may not be possible to provide detailed information”).

Before carrying out any tests, a business should, amongst other things, let its staff know what personal data is required, what it will be used for, and who it will share it with.

Obviously, all businesses should ensure that they have appropriate technical and organisational security measures in place. If an organisation is considering screening its employees due to the current health crisis, it would be prudent to review existing arrangements.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Further reading:

What marketing leaders need to know about data protection law

French data protection regulator puts the boot into Spartoo

Damages for distress awarded by Court under data protection law

Italian data protection authority issue further fines

Polish Data Protection Authority reaffirms personal data rules