29 June 2020

Personal Data: What you need to think about before staff return to work

As employers plan for a return to the physical workplace, data protection compliance has to be a key concern when considering appropriate measures to maintain a safe workplace for employees – if you don’t have a legal basis for processing, inform your staff and seek consent, then you may breach data protection law if you are monitoring indicators of health.

As the UK continues to relax restrictions on travel and working in the wake of the Covid 19 pandemic, employers are grappling with how to have people back in their workspaces, whilst complying with the law and guidance and the rights of employees. One key aspect to get right is the personal data you record on your employees, and how you use it, especially if you are considering any kinds of tests or records on their health to enable them to come back to work. So whilst assuring employees that measures are in place to maintain the safety of the workplace, will be at the forefront of employers’ considerations, but they would be well advised not to rush into the adoption of safety-oriented measures without first considering fully their legal obligations to their employees, including the data protection consequences of measures focussed on monitoring employee health.

The UK law does allow employers to process the personal data of employees, including health data, but only where it is necessary to comply with their legal duty to maintain a safe workplace. This caveat is important, if you cannot justify the intended action as necessary you are open to legal challenge. Take for example temperature testing, it may help along with other observed symptoms to alert that someone is unwell, but on its own it tells you little. If the temperature is being monitored, who is then interpreting it, and what judgments will be made from it? Importantly what data will be kept and how will it be used?  These are all questions you need to ask yourself and if you cannot provide sufficient justification then you may be collecting and processing medical personal data outside of what is legally permitted. What measures to adopt, and how they are implemented, will ultimately determine whether employers are compliant with data protection law, or whether they could be creating legal issues for themselves which may have repercussions beyond data protection law, such as their employment law obligations.

The UK Information Commissioner’s Office (ICO) has issued updated guidance for employers who are preparing for the physical return to work of their employees. The guidance is drafted in broad terms, and emphasises that there is no ‘one size fits all’ approach to determining whether any particular form of health testing will be appropriate and necessary in order for an employer to maintain a safe workplace. However, we urge employers to focus on the words ‘appropriate and necessary’ because if you cannot explain your actions in those terms you may have a problem. Whether particular measures are appropriate will require employers to consider the core data protection principles of transparency, fairness and proportionality in much the same way as they are required to do for other data processing.

The key questions for employers, at the outset and throughout any measures adopted, will be whether the data being collected are relevant, adequate, and limited to what is necessary to allow the employer to meet its legal obligation to maintain a safe workplace.

In order to comply with data protection law, employers considering any form of health testing for employees should ensure that they are:

– Transparent about the collection of personal data and its use:

  • What testing is being proposed and why it is thought to be necessary;
  • What data will be collected;
  • How data will be used (will a higher temperature reading mean that employees will be excluded from the workplace?);
  • Whether data will be shared with anyone else (for example whether public health authorities will be notified of a positive Covid test result); and
  • How long data will held.

– Employers are accountable for the data processing undertaken; you need the ability to demonstrate by written records that proper thought has been given to data protection compliance throughout the process, including:

  • The promulgation of a clear privacy notice to employees;
  • Consideration given to data security for any health data collected;
  • Procedures in place for responding to employee requests to access the data collected about them; and
  • The carrying out of a Data Protection Impact Assessment, where required.

You should also remember to check what your employment contracts permit; you may well find you need to obtain additional consents and agreement from staff before you implement any measures. Health data, including temperature readings, are ‘special category’ data and may only be processed where additional conditions are identified which justify such processing. Employee consent is important, but it is not necessarily sufficient to legally justify processing, as the power imbalance between employees and their employer means that consent cannot usually be shown to be freely given. This is particularly the case where employees may be excluded from the workplace if they provide information which indicates they may pose a health risk to others, and this is a greater issue if their pay or other conditions are impacted by not being able to attend to work.

Article 9(2)(b) of the GDPR allows for the processing of health data where it is necessary for carrying out obligations in the fields of employment and social security and is authorised by member state law; the UK Data Protection Act 2018, in Schedule 1, condition 1, provides the necessary basis in UK law to permit the processing. This offers flexibility to UK employers and is different to other GDPR jurisdictions. Authorities in France and Belgium for example, have advised that local law does not permit employers themselves to process health data of employees for the purpose of securing the workplace against Covid 19.

A range of options for monitoring employee health, but which are truly necessary?

Official UK Government guidance remains that those who are able to work from home should be permitted to do so. This effectively means that those who have been performing their roles remotely since the onset of the Covid 19 lockdown should be allowed to continue to do so at this point in time. When considering health checking measures which could be implemented by employers, this strongly suggests that the criterion of ‘necessity’ is not met for ‘office workers’ who are able to continue working remotely.

The UK Government guidance is likely to evolve over the coming weeks, and assuming that the transmission rate of Covid 19 continues to fall, it is possible that the coming month will see guidance allowing the return of office workers to their physical workplaces. The question of necessity will remain central to employers’ consideration as to the measures which should be adopted to maintain a safe workplace. Recent reports suggest that some are opting for temperature checking in order to gain access to the workplace. This has had a mixed reaction, and practically it needs to consider what temperature point is deemed too high, and what is the consequence? Will there be allowances for whether a person was cycling or running before arrival for example? How long will the interval be between taking the temperature; can you wait and keep trying until you meet the limit or will he person be excluded for a minimum period of time?

The World Health Organisation, amongst others, has stated that because symptoms of Covid 19 can remain latent for a considerable period, and that many will not exhibit symptoms at any point, temperature checking remains unreliable as a protective measure against the spread of the virus. Accordingly, employers should be cautious about adopting this ‘easy’ procedure at their workplaces, as it could ultimately provide a false sense of security to employees returning to the office, or be something that is objected to as not being necessary or justified.

The ICO recognises the immense challenges faced by employers and has specifically noted that data protection law does not prevent employers from asking employees to report if they suspect they are ill, as with any other type of illness; organisations should already have in place compliant data protection processes for such circumstances. The question is whether, and to what extent, Covid 19 justifies the introduction of any more onerous obligation on employees to provide health data. The consequences flowing from ill-considered employee health monitoring may go beyond mere compliance with data protection obligations. Employers must be conscious of their employment law obligations, including not discriminating against employees, for example making accommodations for employees with particular health circumstances when planning a return to the physical workplace.

When assessing what is a suitable measure these concerns on data also need to keep in mind the various health and safety obligations relevant to COVID-19 including those under the following legislation:

  • Health and Safety at Work etc Act 1974;
  • The Management of Health and Safety at Work Regulations 1999;
  • The Workplace (Health, Safety and Welfare) Regulations 1992;
  • The Personal Protective Equipment at Work Regulations 1992; and
  • The Control of Substance Hazardous to Health Regulations 2002

Collectively, these obligate employers to take as much care for employees and others affected by the business as is reasonably practicable. Overlaying this are 12 guides from the UK Government on how to operate your workplace, which can be read here.

Perhaps key amongst the guidance is the 5 step test:

1. Carry out a COVID-19 risk assessment

This is fundamental; before restarting work, employers are expected to ensure the safety of the workplace by:

  • Carrying out a risk assessment in line with the HSE guidance
  • Consulting with your workers or trade unions
  • Sharing the results of the risk assessment with your workforce and on your website
  • Note the advice here to be transparent and publish your assessment; this could be important in any justification for processing health data.

2. Develop cleaning, handwashing and hygiene procedures

By now it almost goes without saying, that we should increase the frequency of handwashing and surface cleaning. However, if you intend any form of monitoring of hygiene, then you need to keep in mind the need to justify it and to ensure you comply with data protection obligations.

3. Help people to work from home

By now you probably have the work from home set up all in place. It is highly likely you have to implement this quickly and you may not have had the time you want for review/risk assessment and consideration of whether the way you are operating is optimal and compliant. So we do urge you to take time and look at whether your systems are adequate to keep your data personal or otherwise safe, and we have guidance for you here.

Do consider if the home working arrangements are such that confidentiality is assured, and if your staff have the right equipment, and secure remote access to work systems.

4. Maintain 2m social distancing, where possible

On this at least we have little we need say, save only to consider how in your office environment you intend to monitor compliance. If you will be recording any data, for contact tracing or otherwise you need to keep personal data requirements in mind.

5. Where people cannot be 2m apart, manage transmission risk

Where it’s not possible for people to be 2m apart, the same point applies to monitoring and considering what if any data you might process.

In conclusion

Overall, the unwinding of lockdown presents many challenges, but everything is possible if you can justify the necessity. If you would like any guidance on what you need to understand do please reach out to us.