COVID-19 testing and monitoring in the workplace
Can employers test and monitor employees during the COVID-19 pandemic?The key takeaway
The ICO coronavirus recovery guidance notes that employers may test employees for COVID-19 and monitor employees in the workplace by relying on Article 6(1)(f) GDPR and Article 9(2)(b) GDPR, along with Schedule 1 Condition 1 of the Data Protection Act 2018. This will only be permissible if the processing is strictly necessary for legitimate purposes that bring justifiable benefits and comply with the principles of proportionality.
ICO guidance on testing and monitoring in the workplace
The ICO guidance includes data collation about COVID-19 test results, and monitoring movement of employees within the workplace.
When considering workplace testing and health data, employers should consider relying on Article 6(1)(f) GDPR and Article 9(2)(b) GDPR, along with Schedule 1 Condition 1 of the Data Protection Act 2018. Article 6(1)(f) GDPR notes that processing shall be lawful only if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Article 9(2)(b) states that processing of special categories of personal data is permissible if the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data subject in the field of employment.
As such, employers will seek to rely on these Articles due to an employer's health and safety at work obligations, so long as they are not collecting or sharing irrelevant data. The guidance confirms that an employer can retain a list of employees who have the symptoms or have been tested as positive for COVID-19, but only where this processing is necessary and relevant for the employer’s stated purpose eg it may be necessary to retain a list to determine whether to grant an employee access into a building. If maintaining an ongoing record is necessary (eg to provide ongoing healthcare support to affected employees), the employers must take care to ensure that the list does not result in any unfair or harmful treatment of the employees.
The guidance also states that naming a specific individual who contracted the symptoms should only be done where necessary. If employers are required to share the data with authorities for public health purposes or the police, then data protection laws will not prevent the employer from disclosing this information.
The guidance allows employers to monitor staff using thermal imaging and traditional CCTV, though the monitoring of employees must be necessary and proportionate. This includes ensuring that employers do not hold more data than that which is necessary for its purpose. The Surveillance Camera Commissioner (SCC) and ICO have updated the SCC Data Protection Impact Assessment template to assist employers when considering the use of thermal cameras or other surveillance during the pandemic.
Why is this important?
In light of the COVID-19 pandemic, various employers are seeking to monitor and test employees, however, the processing of data should be limited to only that which is necessary. If employees believe there has been a breach of processing their personal data in accordance with data protection laws, they can complain to the ICO. The ICO can impose sanctions and fines of up to 4% of global annual turnover or €20m (whichever is the greater). Employees can also have grounds to bring whistleblowing claims, and employee/employer grievances.
Any practical tips?
Carefully follow the ICO guidance to identify the purpose for which you are seeking to monitor or test your employees for COVID-19. The monitoring and testing needs to be necessary and proportionate to the purpose, therefore employers should consider if there is a less intrusive way to protect their business and monitor employees without breaching data protection laws.
By conducting a Data Protection Impact Assessment (DPIA), employers can record the risks and mitigation steps they have taken prior to monitoring and testing.
Employers should inform their staff of what monitoring and testing will be carried out, the purposes for the monitoring and testing, and what personal data is required. Also consider relevant training for employees who will be processing personal data, as well as introduce measures to limit the number of people with access to personal data, the amount of data collected and the length of time it is retained.