COVID-19: testing in the workplace and GDPR

As Government restrictions begin to lift, many more people are now returning to the workplace where working from home isn’t possible.

The Information Commissioner’s Office have published guidance to help employers comply with their data protection obligations where it’s proposed to undertake testing in the workplace.

The guidance is available here.

Here’s some of the headline points:


Testing employees:  Is it necessary to consider data protection laws?

The short answer to this is yes.

Personal data that relates to someone’s health is classed as “special category data”.  This means that it must be carefully protected.

As the ICO have said:

“Data protection law does not prevent you from taking the necessary steps to keep your staff and public safe and supported during the present public health emergency.  But it does require you to be responsible with people’s personal data and ensure it is handled with care”.


Lawful basis

Employers need to have a lawful reason to process personal data.

The ICO suggests that the lawful basis for processing health data about COVID-19 is likely to be legitimate interests.

It could also be that this kind of processing activity is necessary in order to comply with a legal obligation, i.e. the employer’s duty under the Health & Safety at Work Act, to provide a safe working environment.

What’s important, however, is that employers identify an Article 9 condition for processing.  This is because health data is special category data under data protection law.


Being accountable

For employers to show that this kind of processing activity is compliant, they’ll need to act in accordance with the accountability principle.  The accountability principle requires employers to demonstrate compliance with data protection laws when processing sensitive data.

One way of doing this is to undertake a Data Protection Impact Assessment (DPIA).  This should set out:

  • the activity being proposed
  • the data protection risks
  • whether the proposed activity is necessary and proportionate
  • mitigating actions that can be put in place to counter the risk
  • a plan or confirmation that mitigation has been effective

DPIA’s are designed to be flexible.  They should be regularly reviewed and updated.  The ICO have drafted a template DPIA, which is set out in its guidance.


Collecting too much

One of the central planks of the GDPR is collecting and retaining the minimum amount of information needed to fulfil your purpose.  In other words, you shouldn’t gather more data than you actually need.

The ICO has suggested that to make sure that you don’t collect too much data, organisations should ensure that the data is:

  • Adequate – enough to properly fulfil your stated purpose
  • Relevant – have a rational link to that purpose
  • Limited to what is necessary – you do not hold more than you need for that purpose

In the context of test results, is it enough just to know the result of a test, rather than additional details about underlying conditions?


Tell people

Transparency is key.  Employers should already be clear, open and honest with employees about how their personal data is processed.  This is crucial when processing health information.

This may mean updating the information in your privacy notice, or perhaps circulating a specific COVID-19 notice.  The ICO does, however, recognise that “in this exceptional time it may not be possible to provide detailed information”.

However, before carrying out any tests, employers should let staff know:

  • what personal data is required
  • what it will be used for
  • who it will be shared with
  • how long the data will be kept

The ICO also recommends that employees are give the opportunity to discuss any concerns they might have.




1 June 2020

Cassandra Zanelli

Widely recognised for her expertise in the industry, and listed among the 100 most influential people in residential leasehold management, Cass heads the team at PM Legal Services. Passionate about education and sharing knowledge, she's a regular speaker at conferences, events and seminars, having worked with leading organisations in the property management industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *

Email * Website

Comment *