Data protection
Testing involves taking and storing employees’ health data, which is highly sensitive ‘special category’ personal data that requires the highest level of protection under the General Data Protection Regulation.
Businesses who want to collect and use this data must satisfy one of the prescribed conditions for the lawful processing of the data (for example, the individual’s explicit consent or that processing is necessary for reasons of public interest in the area of public health) in addition to ensuring that their processing of the data has a lawful purpose and is fair and transparent.
Employers must also take care when storing this highly sensitive personal data and ensure that all testing is necessary and proportionate. This can be achieved by conducting a data protection impact assessment, which can also demonstrate how any risks can be mitigated.
The following should be avoided when carrying out testing on employees:
- Collecting more data than necessary for the purpose of keeping the workplace safe: employers should be dating tests to ensure accuracy and should only ask for employees’ details that relate directly to COVID-19;
- Keeping public lists of employees who have been tested: lists should be confidential, anonymous where possible, and should not be used for any other purpose than keeping a record of testing; and
- Naming employees who have tested positive: while employers have a duty to maintain the health and safety of their employees, this must be balanced against the individual’s right to privacy and individually identifying those who test positive is usually avoidable.
Above all, employers should be transparent with their workforce. At the earliest possible stage, they should clearly explain to their employees what data will be required, what it will be used for, who it will be shared with and for how long it will be retained. With the appropriate due diligence beforehand and open lines of communication with employees, testing regimes can be effectively introduced.
