So you have decided that testing your staff for Covid 19 might be sensible. How are you going to get it right? What about all that sensitive health information you are going to store? What are the potential legal pitfalls? In considering whether and how to implement workplace testing you will need to take:
- a careful approach
- be transparent
- communicate effectively with your staff.
As a starting point it is worth noting that workplace testing is not recommended by the current Government guidance and it is not endorsed by the World Health Organisation or Acas.
A Careful Approach
Before you do anything, have several virtual meetings with senior colleagues and make sure that your decisions and reasoning are properly recorded so that you have evidence that you have considered all angles carefully. This is likely to be useful from an HR point of view, but it is also a critical part of demonstrating that you meet the accountability requirement under data protection law (GDPR). Involve your DPO or data protection lead from the outset.
There are three elements to testing:
- the test itself and whether this is necessary – this should involve considering alternatives to testing, such as asking employees to test themselves and giving clear guidance on when to self-isolate
- obtaining the results – how you will test
- what you do with the results, including how you store these securely and how you manage requests from staff exercising their information rights – for example if someone makes a subject access request
You should ensure that your discussions cover all of these stages.
You will also need to follow the data protection guidance on Workplace Testing produced by the ICO:
If you want to carry out workplace testing, broadly, under the ICO guidance you will need to:
- add Workplace Testing to your records of processing activities and identify your justification for processing this data – this will need to have an Article 9 (special category data) reason for processing as well as the usual “legal basis” justification under Article 6 of GDPR
- amend your staff privacy notice for staff to cover the processing of Workplace Testing data, or at least create a notice to cover the testing if you don’t already have an existing notice
- carry out a data protection impact assessment using the ICO template which can be found here – this will ensure that you can show that you have identified and minimised the data protection risks associated with workplace testing
- carry out a legitimate interest assessment where your legal basis under article 6 is ‘legitimate interest’ – the most likely legal basis (unless your organisation is a public authority e.g. an Academy Trust)
- create an appropriate policy document using the ICO template where your legal basis under article 9 is the ‘employment basis’.
Transparency is key to data protection law as the individual employee has a right to be informed about the processing of their personal data. From an HR point of view, it is also key to the employee feeling that they can trust the employer and that they know what is happening.
Transparency and communication overlap but they are not quite the same thing. You will meet the employee’s right to be informed by giving them a privacy notice explaining the use of their personal data, but this alone is unlikely to be good communication. Employees might find receiving a privacy notice without further explanation quite intimidating, especially if it comes without much warning and when he or she is at home without colleagues to discuss it with. It would be much better to have a virtual meeting or conference call so that a manager can explain to staff how their personal data will be used. This can also be an opportunity to answer questions and to explain to staff your careful approach.
Who should be tested?
If employers are going to test at all, they should test everyone – or at least all staff. This is to avoid unlawful discrimination.
Confidentiality, what data to keep and how to use it
Sharing of any testing data is very unlikely to be justified and employers should therefore take considerable care to keep this data secure and confidential. Employers will therefore need to consider how they go about refusing access to the workplace based on a test result.
Under data protection law, employers must process the minimum data necessary to ensure the safety of its workforce. Therefore, if the aim is to stop infected people entering the workplace, consideration should be given to whether this data needs to be retained at all and, if so, how long for. If no further reference will be made to it, it is arguably not necessary to keep any records of temperature test results.
What if an employee refuses to be tested?
If you have concluded that testing is a proportionate way of ensuring safety at work, and explained this adequately to staff, it would be fair to expect everyone to undergo workplace testing. If you have followed the steps above and received buy-in from your staff, you are unlikely to be faced with an issue. However, if an employee refuses a test and the correct steps have been followed, this would potentially amount to serious (and even gross) misconduct and should be dealt with under the disciplinary procedure.