18 May 2020

UK & France update their guidance on Covid 19 for employers; UK ICO delays investigations & more…

See below for the latest Data Blast from our legal team: UK and France update their guidance on Covid 19 for employers; UK ICO delays investigations and enforcement to focus on Covid 19; TikTok video sharing platform faces scrutiny as it sees rise in use by children during lockdown…

UK ICO releases guidance on workplace Covid 19 testing

The UK ICO has published guidance for employers in respect of employee Covid 19 testing. The guidance confirms that data protection law does not prevent employers from taking the necessary steps to maintain a safe workplaces, it does require that employers limit their collection of employee data to what is necessary, and that they handle employee health data with particular care. Employers should also be transparent with their employees about the scope and purpose of any Covid 19 related data collection and processing.

As part of their guidance, the ICO explains that the lawful bases for processing health data in the context of Covid 19 may vary. For public authorities carrying out their functions, public task is most likely applicable, whist private employers may rely on legitimate interests. However, the guidance recommends that companies make their own organisational assessment in establishing a lawful basis for processing Covid 19 related health data.

As health data is special category data, employers must also identify an Article 9 GDPR condition for processing such data; namely the Article 9(2)(b) employment condition together with Schedule 1 condition 1 of the UK Data Protection Act 2018 (DPA 2018), which apply to processing for employment purposes, including meeting health and safety obligations. The ICO points out that companies must ensure that they do not collect any more data from their employees than what is necessary to meet their health and safety obligations. For example, employers will only be able to justify processing information about Covid 19 test results, rather than collecting any additional information concerning an employee’s underlying conditions.

In order for companies to demonstrate compliance with the GDPR and the DPA 2018 to fulfil the accountability principle, the ICO suggests carrying out a data protection impact assessment (DPIA), specifically regarding Covid 19 testing. The DPIA should set out the activity proposed (virus testing), whether it is necessary and proportionate, the inherent data protection risks, and what mitigating actions can and have been taken to reduce those risks. Before adopting any more intrusive procedures, for example workplace temperature monitoring, it must be determined that such steps are necessary and proportionate, and that no less intrusive means could achieve the same result.

The guidance also stresses the importance of keeping secure any lists of employees who are symptomatic or have tested positive, and ensuring that such lists do not result in unfair or harmful treatment. It is also crucial that employers are transparent about the use of employee data; employers should provide employees with privacy information before any processing begins, including what data is required, what it will be used for, how long it will be retained, and who it will be shared with.

Whilst office staff should be informed about potential or confirmed Covid 19 cases among co-workers, employers should avoid naming individuals where possible. The guidance notes that data protection law does not prevent the sharing of data with public health authorities or the police, where necessary and proportionate.

The ICO’s full guidance can be found here.

France updates guidance on employee health testing

The French data protection authority (CNIL) updated its guidance for employers concerning the use of health testing of employees, following a loosening of mobility restrictions on residents (we previously reported on the CNIL’s guidance on employee health data here). The updated guidance coincides with the first loosening of restrictions on travel and business operations in France since the commencement of the Covid 19 outbreak.

The updated CNIL guidance reminds employers of their legal duty to provide a safe workplace under France’s Labour Code, and that employers should make arrangements for social distancing where possible. The CNIL also recalled its previous guidance highlighted that employees should be reminded of their obligation to inform the relevant health authorities (either directly or via their employer) if they have reason to suspect they may have contracted Covid 19.

The CNIL then addresses various measures proposed by employers for securing their workplaces, emphasising the limitations which data protection law places upon their ability to process employee health data:

  • Where employers wish to take the temperature of employees or visitors in order to gain access to their premises, non-invasive testing such as by infrared thermometer, is permitted provided the results are not recorded either electronically or in any handwritten filing system, as doing so will breach data protection law;
  • The automated monitoring of employee temperatures via thermal cameras is prohibited;
  • Employers are not permitted to mandate employee health questionnaires, and employees working remotely are not required to inform their employer if they suspect they may have become infected, save if an illness requires them to take medical leave, in the same manner as such would be reported for any illness; and,
  • Where an employer is provided with health data by an employee, such as self-reporting a suspected case of Covid 19, the employer can process that data only for strictly necessary purposes such as reporting to the health authorities or implementing workplace safety measures to protect other employees.

It is interesting to note that the CNIL guidance is that employers cannot keep records of any temperature testing result; doing so would constitute the processing of health data. This may prove to be impractical for employers, for example where an employee records a high temperature and is told to return home for the day; without a written record, the employee could be expected to return to work on each subsequent day, only again to be excluded if she were to record a high temperature. By contrast, the UK ICO guidance, as noted above, relies on the UK DPA 2018 and the GDPR to provide more practical means for employers to seek to maintain a safe workplace, including, in appropriate circumstances, the use of temperature testing.

UK Information Commissioner pushes ‘pause’ on regulatory initiatives to focus on Covid 19

The UK ICO announced that it has paused its investigation into the data practices of the real time bidding (RTB) network that underpins targeted advertising online. The Information Commissioner, Elizabeth Denham, has previously said that the RTB ecosystem is in her view not compliant with data protection law, and the ICO’s investigation could have had a profound impact on the online advertising industry globally.

The ICO began investigating RTB practices in early 2019 and has issued several interim updates, but not any conclusive findings that would have forced those involved to amend their practices. Given that the Covid 19 situation is likely to remain at the forefront of concerns for at least the remainder of this year, it is unclear when the ICO might decide to take up again other regulatory concerns.

The ICO also made international headlines last year when it proposed to impose fines in the hundreds of millions of pounds against Marriott and British Airways for data breaches, but imposition of the fines has been delayed several times by the ICO.  The current deadline for the ICO to impose fines is June 1st 2020, however it has been reported that the Information Commissioner confirmed during a recent online conference, that a fining decision will be delayed until at least August 2020.

TikTok facing scrutiny over its privacy measures for children

The video shoring app TikTok has grown in popularity since lockdowns have set in across the globe, and its short format video clips and special effects have proved particularly popular with children. The Dutch data protection authority has announced that it will be looking at the privacy approach adopted by TikTok, in particular, whether the privacy notice provided to users of the app is sufficiently clear and accessible that children would be able to understand how their personal data will be processed by the app, and whether parental consent is required for children to use the app.

TikTok’s processing of children’s personal data has previously been investigated by the Federal Trade Commission (FTC) in the US, which ended with Tiktok accepting a fine of $5.7 million. Now, advocacy groups in the US are accusing TikTok of being in breach of the FTC settlement, both for having failed to delete children’s data previously collected and by continuing to collect such data without the requisite parental consent.

The questions raised about TikTok’s compliance come at a time when schools are increasingly turning to the use of remote teaching such as video conferencing software and messaging applications, and serve as reminder that those seeking to deploy technology for the benefit of children should seek specialist advice to identify and minimise the risks involved.

For more information please contact Partner, James Tumbridge at