As we progress into the next phase of the pandemic, employers are considering how to safely reintegrate staff into the workplace whilst also managing the risks of processing health data (which is a special category of data under GDPR) and setting out the expectations for employees.

Click here for our visual overview of the data protection issues. Below we have provided high-level answers to the tricky questions on employers' minds.

Top tips:

  • The ICO has published guidance and will take an "empathetic and pragmatic approach" to regulation.
  • Some form of health screening is possible under ICO guidance and is likely to be a reasonable instruction in the context of a pandemic (although employers will need to consider their proposals in light of what is necessary in their own businesses).
  • Where a member of staff is suspected to have contracted COVID-19, there is scope to inform other members of staff and third parties, although where possible this should be done on a no-names basis and the information provided should be limited.
  • Whenever an employer is processing sensitive personal data, they should bear in mind the data protection principles (i.e. data minimisation, amount of information being processed, purposes of processing etc.), ensure policies are up to date and the requirement to conduct a privacy impact assessment.

Key Risks and Considerations

1) Can employers ask employees to have their temperature screened when arriving at the workplace?

Yes - Provided that it is strictly necessary

Employment risk

If employees consent to having their temperature taken when they arrive at the workplace, then it is uncontentious from an employment perspective.

If the employee refuses to be tested, then whether an employer can sanction that employee (for example, by disciplining them or sending them home without pay) will depend on whether it is a reasonable instruction on the part of the employer. As taking temperatures is not currently recommended by the government for workplaces, this may be difficult. What will be key will be the messaging to staff around why the employer wishes to screen temperatures.

If the employee is sent home following a reading of a high temperature, provided that they are ready and available to work (and not unwell), the employee may be entitled to full pay even if they cannot work from home.

Data protection risk

In order to justify processing this information, employers will need to demonstrate that the temperature screening is necessary. They should therefore consider whether a less intrusive measure would achieve the same end – for example, asking employees to check their own temperatures before coming to work and self-declaring this and/or completing daily health questionnaires.

When considering privacy-intrusive technologies such as thermal sensors, employers need to ensure that they comply with the data protection principles. In particular, any monitoring should be transparent (and included in any privacy notices) and proportionate. Employers should consider whether they can achieve the same results through other less intrusive means. Privacy Impact Assessments are also likely to be appropriate.

2) Can an employer require employees to take a COVID-19 test?

Maybe - Only where there is a good reason to do so

Employment risk

Requiring an employee to take a COVID-19 test is much more intrusive than a temperature test and it may therefore be harder to justify as a reasonable instruction (especially as it is not currently required under government guidance). It is more likely to be reasonable if there is a specific reason why testing is required (for example if they work with vulnerable individuals).

Employers may want to consider the practical challenges of COVID-19 testing as the results are only accurate as at the date of the test and it would be unattractive and costly to repeat these on a frequent basis.

Data protection risk

Employers will need to demonstrate why COVID-19 testing is necessary (i.e. maintaining a safe workplace for staff). In addition, employers should be able to demonstrate that there is not a less intrusive way to achieve the same objective (e.g. self-isolation/working from home). It is also likely that an employer will need to carry out a Privacy Impact Assessment before processing this data.

If an employer can satisfy the above, testing should in any event be confined to those employees that pose a particular risk, for example because of their location and circumstances.

3) Can employers require employees to download the government-approved contact tracing app?

Maybe

Employment risk

If the employee consents to downloading the app, then there is no issue.

However, given the nature of the location tracking and health data processed by this app, combined with potential security/privacy concerns, employees may not agree to downloading the app. It will be fact-specific as to whether the employer can rely on a reasonable instruction to require employees to download it. For example, if the employer was not attending the office or face to face meetings in the foreseeable future, it is unlikely to be reasonable.

To minimise any risk, we suggest that sensitive communication is key to justifying the instruction to download the app, stressing that the app is a means of preventing the spread of COVID-19. Of course, employers will not be able to monitor whether employees actually input data into the app.

Data protection risk

Data protection will only be a consideration if the employer is processing the employee's information. The app does not give employers access to the data input by employees so data protection is unlikely to be an issue.

4) Can employers keep lists of employees who have symptoms or who have tested positive for COVID-19?

Yes

Employment risk

From a practical perspective, employers should ensure that the lists are kept confidential and employment decisions are not made on the basis of such lists.

Data protection risk

The ICO has confirmed that this is possible from a data protection perspective. Provided that the employer only collects the data that it requires and complies with all of the data protection principles (i.e. the data collection is necessary and relevant for the employer's purpose, the data is secure and confidentiality owed to employees has been taken into account) then it can be justified.

5) Can employers share data about affected employees?

Maybe

Employment risk

Employers will need to carefully manage this situation in order to reassure employees about the reason for taking this action and that their health data is being treated sensitively so as to not breach the duty of mutual trust and confidence.

Data protection risk

Where an employee has tested positive for COVID-19, an employer is likely to be able to justify sharing the information with other employees that have worked in close proximity to them or clients/third parties they have come into contact with. However, in line with the data protection principles, where possible the employer should not disclose the identity of the employee and should provide as little information as possible.

6) Can employers ask their employees to self-declare COVID-19 symptoms?

Yes

Employment risk

Employers will need to carefully manage this situation in order to reassure employees about the reason for taking this action and that their health data is being treated sensitively.

Data protection risk

The ICO has previously stated that it would be reasonable to ask employees to inform their employer if they are experiencing symptoms of COVID-19. Although the ICO's updated guidance no longer addresses this point, it is still possible to ask employees to self-declare symptoms (and this will be particularly important where the employees are interacting with other staff and third parties).

It is important to comply with the principle of data minimisation; employers should not collect any more information than needed and should ensure it is treated with appropriate safeguards.

7) If immunity passports are introduced, can employers require employees coming into the workplace to have one?

Maybe

Employment risk

This is a tricky issue that may emerge in the coming months and employers will need to manage it carefully. If the government were to introduce immunity passports for the workplace, it may be a reasonable instruction for an employer to require an employee without one not to attend the workplace.

If employees are not able to do their normal job because they do not hold immunity passports, then we consider that (at the current time) they would be entitled to receive normal pay. If the employees subsequently became ill then we consider that they would be eligible to receive sick pay in the normal way.

Data protection risk

This answer is subject to any system of immunity passporting that is implemented and government requirements.

We consider that it is likely that employers will be justified in processing any associated health data, subject to the normal data protection considerations.

Originally published 14 August, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.