Back to all news
April 2021

Data Privacy and Workplace COVID-19 Testing

Fiona Dunger Consultant Solicitor - Employment

As COVID-19 restrictions are eased, the Government has expanded its workplace testing programme so that more employers whose staff cannot work from home are having to consider the legal and practical implications of testing staff for coronavirus COVID-19 at work.

Workplace testing aims to detect those with coronavirus COVID-19 who are asymptomatic, (estimated to be around a third of those with the virus) and thereby prevent inadvertent transmission to colleagues and help to break chains of transmission. Lateral Flow Tests (LFTs) are used, which give a result within 30 minutes. Government guidance recommends that employers offer their staff two LFTs per week.

Employers have a legal duty to provide a safe place of work, and testing can clearly help them to ensure this, but before starting to test at work employers should consider
compliance with their legal responsibilities to staff under health and safety, equalities, employment and data privacy law.

What are the data privacy issues that employers should address before starting a testing programme?

Conducting LFTs at work will involve processing personal data. Under the UK GDPR and the Data Protection Act 2018 this must be done lawfully, fairly and transparently and as the data relates to health, which is classed as ‘special category data’, additional safeguards are required.

Due to its sensitivity, processing health data requires specific conditions to ensure it is lawful. For workplace testing these are that processing is necessary either:-
• to comply with obligations under employment law (to provide a safe place of work); or
• for public health reasons (running a testing programme to help stop the spread of the virus and reporting results to PHE).

Before starting a testing programme employers should undertake and document a data protection impact assessment (DPIA). This must look at what the testing is trying to achieve, and whether processing personal data is necessary for this purpose. It should consider their specific circumstances:-

• the type of work they do;
• their premises and whether working from home is possible (even if previously ruled out); and
• whether testing will enable them to provide a safe work environment or whether they could achieve the same result without collecting health information i.e. with existing COVID-19 social distancing and hygiene measures.

If the DPIA demonstrates that the proposed testing programme is reasonable, fair and proportionate then processing the data is permitted.

The health data collected must be no more than is necessary and relevant for the stated purpose, so employers must only collect the test result, not additional information e.g. about underlying health conditions. As data held must be accurate, the date of the test result must be recorded as health status will change over time.

If employers intend to make checks mandatory this should be addressed in the DPIA as they will need to demonstrate that a mandatory programme is reasonable, fair and proportionate. This will depend on their particular circumstances and work environment, and should be reviewed regularly as circumstances change.

In considering how frequently to test, again an assessment must be made of their particular situation. In some sectors repeat testing may be justified more often than others, e.g. health and social care where employees regularly come into contact with vulnerable individuals.

Transparency is very important and employers must provide clear written information to staff about how the testing programme will work. This should include what data will be required, what it will be used for, who it will be shared with and how long it will be kept. This could be in a general staff communication document or, better still, in a specific privacy notice and it should provide opportunities for staff to raise concerns.

Employers are permitted to share the test data with other staff where there are possible or confirmed cases, but in doing so should avoid naming individuals unless this is unavoidable, and only provide as much information as is necessary.

Records should be kept of who has had access to test results, when and why so as to demonstrate accountability.

As employers consider how staff can safely return to the workplace, using LFTs in addition to all other COVID-secure measures will hopefully reassure their employees that it is safe to do so.

Photo by Jakayla Toney on Unsplash

 

If you have any questions about data privacy and workplace COVID testing, please don't hesitate to get in touch with Fiona.

Fiona Dunger Consultant Solicitor - Employment +44 (0) 20 7846 0383 fiona.dunger@jurit.com

Or another member of the Employment Team.

Adrian Hoggarth Partner - Employment +44 (0) 20 7060 6408 adrian.hoggarth@jurit.com
Louise Taft Consultant Solicitor - Employment +44 (0) 20 7060 6474 louise.taft@jurit.com
  • LinkedIn
  • Twitter
  • Facebook

Please note this paper is intended to provide general information and knowledge about legal developments and topics which may be of interest to readers. It is not a comprehensive analysis of law nor does it provide specific legal advice. Advice on the specific circumstances of a matter should be sought.

Latest News

  • In the press
  • Private Wealth

Is it possible to give away my pension savings to avoid IHT?

December 2024 by Jo Summers
  • Jurit News
  • Private Wealth

Joe Hallett joins private wealth practice at Jurit

December 2024 by Clair Mathews Crawford
  • Employee Ownership Trusts
  • Employment
  • Jurit News
  • Tax and Incentives

Join our Upcoming Employment Rights Bill Webinar

November 2024
  • In the press
  • Private Wealth

BBC Rip Off Britain – The devastating effect of probate delays

November 2024 by Jo Summers