COVID-19 – Impact on UK employers and employees

The coronavirus pandemic is continuing to cause unprecedented problems within the workplace.  

Currently, many employers are considering how to bring their employees back into employment safely as the lockdown eases. We all must remain educated on how to align our operational practices with the current health and safety guidelines of the return-to-work strategy.

One key issue facing employers is the use of COVID-19 testing and what this means for their employees and data protection.  

Read on for all you need to know about risk assessments, information security and your obligations as the lockdown lessens.


The ICO and data protection

On the 13th May 2020, the Information Commissioner’s Office (ICO) released new regulations to assist employers and employees with the return to work.

Some employers will want to test employees for symptoms of COVID-19. This will mean collecting, storing, and using their data where appropriate.

This process is raising questions about the impact these new procedures will have on everyone. Therefore, the ICO has addressed the critical concerns in their announcement.

Data Protection Impact Assessment (DIPA)

Firstly, all organisations should undertake a data protection impact assessment. This needs to be done before accumulating or recording any personal information relating to COVID-19.

This assessment should review the impact that data collecting and storing will have on individuals, and you will need to consider the following:

  • What is the activity in question?
  • What are the data protection risks of the activity?
  • Whether the activity is essential and proportionate to business needs
  • What mitigating actions can be implemented to counter the risks?
  • How can you evaluate that these modifying actions have been effective in countering the risks?

What do I need to know about data protection when testing my employees for COVID-19?

As you will handle information relating to an identified or identifiable person, you need to abide by the GDPR and the Data Protection Act 2018. Effectively this means managing all information lawfully, fairly, and transparently.

As an employer, you have the responsibility to keep your staff and clientele safe. Nevertheless, you are also fully accountable for any health data that you obtain from your employees through testing.

Any information relating to individual health will be branded as ‘special category data’. This is due to it being more sensitive and classified, and therefore it must be more stringently protected.

We understand that this year has been rife with changes and unprecedented events. For many, data protection of COVID-19 testing is merely adding fuel to the fire of confusion. You must prepare yourself and make any necessary adjustments so that you handle information with care.

If you are in doubt about your rights or the rights of your employees, then we recommend contacting the ICO or an employment law expert for further advice.  

If my employee refuses a COVID-19 test, what legal rights do I have?

Once you have carried out your Data Protection Impact Assessment (DIPA), you will have the information you need to demonstrate reasonable cause for testing. 

If you can prove there is a reasonable justification for you collecting and processing health information relating to COVID-19, then it is permissible under DPA laws.

As mentioned above, health information falls under the classification of ‘special category data.’ It has its own specific protected status under the data protection law. Therefore, employers are required to stipulate an Article 9 condition for administering this information.

The conditions you will need to adhere to are as follows:

  • The employment condition in Article 9(2)(b)
  • Schedule 1 condition 1 of the DPA (2018)

More information about Article 9 (2)(b) is available here. However, it states that employers are permitted to collect and process particular category data to ensure the health and welfare of their employees. That is on the provision that unnecessary or irrelevant information is neither gathered nor shared.

Can my employer collect too much data?

As health records are a select category of data, it is vitally important that an employer is stringent about how much information they assemble. This means only obtaining and storing the minimum amount of information you need to fulfil your purpose.

To do this, an employer must ensure that all information is:

  • Adequate: enough to reasonably fit the stated purpose
  • Relevant: has a tangible link to the purpose
  • Essential: limited to what is necessary

Within the framework of COVID-19 test results, an employer needs to ensure that they do not collect or store excessive information from their staff. Therefore, they should only need data relating to the results of the test and not peripheral information such as current medications or underlying conditions.

An employer will need to demonstrate both their reasons for testing staff and storing results from tests. The law also requires that any personal data is highly accurate. This means that any test results are marked with a date, as the health status of a person can change, and therefore the records stored may no longer be valid.

I have an employee who tested positive for COVID-19. Can I store their data?

Yes. However, if you need to collect health data about your employees, you need to ensure that:

  • The data is strictly specific to your needs
  • The use of the data is necessary and relevant for your purpose
  • Any processing of data is secure and confidential

You also should ensure that such data is not unfair or harmful to your employees. Examples of such disparaging data could include:

  • Recording inaccurate information
  • Failing to acknowledge that a health status’ change over time
  • Retaining data for unnecessary purposes

How do I explain COVID-19 testing to my employees?

As with anything in business, being clear and transparent is vital. Be honest and open with your employees from the outset about the entire process. This can include:

  • How you will gather their data
  • Why you will collect their data
  • What specific information you need
  • How you will store their data
  • How long you intend to store the information for
  • Who will have access to this information?
  • What you intend to do with that information
  • What decisions you will make based on the results of the data

It is also critical that you have a clear and accessible privacy policy available to your employees. This needs completing before any data processing or collection starts.

Can I tell my employees when someone has tested positive for COVID-19?

You must keep all staff informed about possible or confirmed cases of COVID-19 that they may have been exposed to. However:

  • You should avoid naming specific persons where possible
  • You should not provide more information than is essential

We are all responsible for limiting the spread of this epidemic. This includes employers ensuring they do what they can to maintain health and safety in the workplace.

As an employer, you might be required to share necessary and proportionate health records. This may be with the public health authorities or police. We need to avoid seeing data protection as a barrier or an excuse.

You can share data legally and fairly using some conditions and exemptions of the Data Protection Act (2018). You may be inclined to safeguard yourself by refusing to share information. 

However, you also need to consider the risks to the public further-afield by not disclosing essential information.

Are you concerned about what you are legally entitled to disclose? Then speak to an employment lawyer who will advise you further.

Get the legal advice you deserve?
Do you want to know your legal rights on returning to work during COVID-19? Speak to one of our employment lawyers now. Get the law on your side!

What about temperature and thermal camera scanning?  

When collecting health information, you need to give specific consideration to the context and purpose of its use. Some may see a camera and thermal scanning as a more intrusive form of technology. 

Moreover, in some instances, it may not align with the data protection edicts of being necessary and proportionate.

Consider whether you can accomplish the same results through alternative and less intrusive methods. If you can, then the camera and thermal monitoring are not considered proportionate.

The Surveillance Camera Commissioner (SCC) and the Information Commissioner’s Office (ICO) have updated the SCC DPIA template, specific to these types of surveillance systems. We recommend reviewing this information before installing these forms of a camera system.

Key Takeaway

Data protection and the law can be a complicated concept. The repercussions for breaching the regulations are grave and severe.

COVID-19 testing, collecting test results and storing health data are new concepts for many of us. You are not alone if you are concerned or do not know where to start. When it comes to the sanctity of personal information, it is not worth the risk to your business or reputation, so seek advice.

Contact our specialist employment lawyers today for more information about COVID-19 and the data protection laws.  

Related articles:  Furlough – Most frequently asked questions answered!

This site uses cookies to make it more useful and reliable. See our privacy policy. Do not use this site if you do not consent to our use of cookies.