The ICO have just released updated guidance for employers who are considering new data processing measures due to COVID19 in order to comply with health and safety requirements as part of employees' return to work.
The guidance will be helpful for employers grappling with tricky questions around introducing temperature testing and other forms of testing as steps to help get employees back to work. The ICO again emphasises that data protection law does not prevent employers from taking the necessary steps to keep your staff safe during COVID19, but it does still require employers to be responsible with employee’s personal data and ensure it is handled with care.
On testing, as expected the ICO have emphasised that the key is for employers to ask themselves whether these tests are really necessary. Much of whether they are necessary will depend on the industry an employer is in, what sort of premises they are seeking to protect with the testing measures and the reasons behind wanting to put these measures in place. As a starting point, employers should ask themselves:
- Do you really need the information?
- Will these steps actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information; in particular, health information?
If you decide testing is necessary and proportionate, the key is then to be transparent with your employees about how their test data will be used after its collection and how long you'll store the data for. In practice, we are seeing many employees in the UK asking for temperature testing to be implemented in the workplace and wide acceptance of such measures when they are imposed.
It will be much more difficult to justify COVID19 testing as being necessary and proportionate than (for example) temperature testing at this stage in the pandemic, given it is a quite intrusive measure, as opposed to temperature testing. There are also the practicalities of COVID19 testing regimes to consider (e.g. the delay in getting results and the risk of employees catching COVID19 between the initial testing and the results being received).
One thing to really bear in mind if you decide to get testing up and running is that you should not be collecting or storing more data than is necessary. This means that employers should really be thinking about whether they need records of testing results. For temperature testing, there is a question as to whether it is really necessary to be recording temperature data in the first place, rather than just turning an employee away from entry into the company's premises and recording an employee's absence due to high temperature in the usual way.
It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is. Our six data protection steps for organisations sets out the key principles organisations need to consider around the use of personal information.