The privacy implications of workplace testing

20 May 2020

With the Government encouraging more people to return to work, assuming they are not among the group who can work from home, employers are having to think seriously about what measures they will need to ensure workplace safety.

One possibility would be to introduce tests to check whether returning staff have symptoms of COVID-19 or the virus itself.

However, the Information Commissioner's Office (ICO) has warned that there may be data protection issues to be taken into account for anyone deciding to go down this route.

It has therefore published Workplace Testing – Guidance for Employers).

This highlights that any employer carrying out such tests will be processing information that relates to an identified or identifiable individual and will therefore need to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

In fact, it warns, personal data that relates to health is more sensitive and is classed as “special category data” so it must be even more carefully protected.

“Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency,” the ICO points out. “But it does require you to be responsible with people’s personal data and ensure it is handled with care.”

The guidance gives details of the lawful basis which employers can apply when testing their staff and advises them on clearly demonstrating that their approach to testing is compliant with data protection law.

In line with the legislation mentioned above, the ICO also advises on how to ensure that the information collected is adequate, relevant and, in particular, limited to what is necessary.

A further important point it emphasises is the need for total transparency and for keeping staff informed of plans for testing and for dealing with the resulting information, including the possibility of it being shared with third parties.