Privacy and the pandemic – the data protection implications of employee health screening

Back

There are variations in approach taken by the UK Government and the three devolved administrations in Scotland, Wales and Northern Ireland. This means that employers should ensure that they comply with the relevant local requirements for each of their premises, including any local differences that may be introduced.

When its employees return to work, if a business wants to carry out tests to check whether they have symptoms of COVID-19 or the virus itself, there will be data protection implications. This is because such tests will involve the processing of information that relates to an identified or identifiable individual. That means handling it lawfully, fairly and transparently. In fact, if, as is most likely, screening relates to health data it must be even more carefully protected due to the fact that it is “special category” or sensitive personal data.  Businesses will also have to make sure that they have an appropriate policy document in place.

Handling data lawfully means being able to rely on a legal basis, as provided for in the GDPR.  Although this basis could be relying on employee consent, this is fraught with difficulty. This is because an employee might feel he/she has no real choice but to agree. The consent would therefore be deemed invalid.

However, there is an alternative – businesses have a legal obligation to ensure the health and safety of their workplace, which means that they have a ‘legitimate interest’ in carrying out screening and can rely on this as a legal basis (as long as they are not collecting or sharing irrelevant or unnecessary data).

Note that what is relevant and necessary data to collect may change as government guidance is modified, so care needs to be exercised.

In addition, to show that the processing of data obtained from screening is compliant with the GDPR, a business will need to take note of the accountability principle – which makes businesses not only responsible for complying with the GDPR, but also says that they must be able to demonstrate their compliance. One way of demonstrating accountability is through a data protection impact assessment (DPIA).

If your organisation is going to undertake testing and process health information, then you should conduct a DPIA focussing on the new areas of risk.  This DPIA should set out:

  • the activity being proposed;
  • the data protection risks;
  • whether the proposed activity is necessary and proportionate;
  • the mitigating actions that can be put in place to counter the risks; and
  • a plan or confirmation that mitigation has been effective.

Transparency is very important – if a business wants to test employees for COVID-19 or check for symptoms, it should be clear about what decisions it will make with that information. In addition, it should have clear and accessible privacy information in place for employees, before any health data processing begins. (Although the ICO acknowledges: “We recognise … that in this exceptional time it may not be possible to provide detailed information”).

Before carrying out any tests, a business should, amongst other things, let its staff know what personal data is required, what it will be used for, and who it will share it with.

Obviously, all businesses should ensure that they have appropriate technical and organisational security measures in place. If an organisation is considering screening its employees due to the current health crisis, it would be prudent to review existing arrangements.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group