ICO publishes updated guidance on data protection and Covid-19

The Information Commissioner's Office has recently updated its guidance for controllers on their data processing obligations during the Covid-19 pandemic. The updated guidance provides organisations with six key data protection steps to follow, together with expanded guidance on the use of workplace testing and surveillance.

Coronavirus recovery - six data protection steps for organisations

On 16 June 2020, the Information Commissioner, Elizabeth Denham, published a blog with the six key steps she recommends organisations take and focus on in terms of their data protection practices at this time.

While the key steps simply summarise the key data protection principles that apply under data protection law to any processing of personal data, the blog is a helpful reminder of the key points for organisations to keep in mind if they are considering undertaking new processing activities as a consequence of Covid-19:

Only collect and use what’s necessary: Ensure that only that personal data which is required to keep your workplace safe is collected, and whether any other measures could result in a safe environment without necessarily collecting any additional data.
Keep it to a minimum: Only collect that personal data which is necessary in order to implement any new safety measures appropriately and effectively. This is particularly important when it comes to collecting employee health data, for example, if you are going to be recording symptoms and test results.
Be clear, open and honest with staff about their data: Consider whether and how employees may be affected by any of the measures implemented in your response to Covid-19. Remember to be transparent with staff about what information you may collect from them and what you will do with it.
Treat people fairly: Similarly, some people may be at risk of discrimination because of the information (particularly health data) you may want to collect. Consider what measures can be put in place to ensure employees are treated fairly.
Keep people's information secure: In line with your usual data protection practices it is important to continue to ensure all information collected during the pandemic is held securely. Consider revisiting your retention policy to address new types of information which is intended to be kept temporarily.
Staff must be able to exercise their information rights: Following on from point 3, it is important individuals continue to be told about how their data will be used and their corresponding rights. As part of this exercise you may decide it's appropriate to conduct a data protection impact assessment (DPIA) if any new data processing could result in a risk to data subjects.

Workplace testing for Covid-19

A number of organisations are looking to workplace testing as a way of helping to reduce the risk of their staff being infected with Covid-19. Workplace testing raises a number of data protection issues, which need to be considered alongside the employer's duties under employment law and health and safety law. Having initially published a short guidance document, the ICO has expanded its guidance on workplace testing for Covid-19, provided through an accessible FAQ format.

Key questions include "When they return to work, I want to carry out tests to check whether my staff have symptoms of COVID-19 or the virus itself. Do I need to consider data protection law?", "How do I decide if symptom checking, testing and the processing of health data of employees is necessary?", "Can I make it mandatory that my staff are checked for COVID-19 symptoms or tested?", "How often should I check for symptoms or test employees?" and "Can I share the fact that someone has tested positive with other employees?".

The overarching message from the ICO is that data protection law does not stop organisations testing employees for Covid-19. However, before an organisation does so, there a number of issues to consider:

Identify what objectives the testing is designed to achieve: for example, you may run a manufacturing plant where lots of employees work in close proximity and you want to secure a safe working environment.
Consider if testing is necessary to achieve those objectives: test results will be classed as special category personal data, so you should only process that type of information where absolutely necessary. If the objective of a safe working environment could be achieved by other measures, then testing may not be appropriate. It's important to ensure a testing regime is proportionate and whether less intrusive measures could achieve the same objective. For example – could employees be asked to social distance, wear masks, or work from home instead? Or could testing be limited to employees carrying out certain, higher-risk, tasks?
Identify your legal basis for processing data associated with the tests: test results will be special category personal data so legal bases from Articles 6 and 9 of the GDPR should be identified along with any further requirements under the Data Protection Act 2018. The ICO suggests that the legitimate interests basis from Article 6(1)(f) and the employment condition from Article 9(2)(b) can be relied upon for private organisations, but each organisation will need to reach its own conclusion on this and be able to justify the legal bases upon which it seeks to rely. Reliance on the employment condition in particular will require the employer to show that testing is necessary for its particular duties under employment/health and safety law.
Data protection laws are just one consideration before implementing a testing regime: it is recommended that organisations consider and where necessary take advice on what other regulations and laws could impact a mandatory testing regime. For example – health and safety laws, employment laws, and equality laws.
Be mindful of who test results are shared with: any health information collected from employees during the pandemic, including test results, should be disclosed to as small a group as possible. The ICO asks if access could be limited to medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility. Further, ensure that employees are provided with full transparency on how and with whom their data may be shared. Testing labs may have a legal obligation to notify positive results to public health authorities.
Record-keeping and accountability requirements: the ICO is clear that organisations who are going to undertake testing of employees for Covid-19 will be processing special category personal data (specifically, health information) and must undertake a DPIA in advance of the testing programme beginning. The DPIA process should assist with ascertaining whether an organisation's testing programme is necessary, what legal basis it will rely upon, and what the impact could be on data subjects so that any risks can be managed effectively. This is particularly important if a third party is involved in carrying out or facilitating the testing in any way.

Workplace testing will only be appropriate in specific circumstances. It's therefore essential that organisations carefully consider the data protection issues, and engage with employee representatives, before commencing the testing programme.

Workplace surveillance and Covid-19

While some organisations will be implementing testing programmes for staff, others may look to other ways to ensure a safe workplace environment, like through using thermal cameras or CCTV systems. Like its other recommendations and advice highlighted above, the ICO is keen to stress that data protection laws do not prevent employers from considering how it can protect its employees and workplaces during the Covid-19 pandemic.

In terms of the use of intrusive technologies such as thermal checks and thermal cameras, the ICO reminds organisations that proportionality in their use and transparency with individuals is key. The ICO's view is similar in relation to using CCTV cameras to monitor employees' adherence to health and safety measures. Again, it states that use of these measures must be necessary, justified and proportionate. For example, can these systems be used in a way that does not record any personal data about an individual, but instead simply provides that individual with the result and instructions on what to do if the system suggests that they have a high temperature?

Before utilising these methods of surveillance an organisation should consider whether employees would expect their data to be used for these purposes and in these ways and undertake a DPIA to confirm this type of processing is appropriate in the circumstances. Employers will also need to bear in mind that a high temperature could be caused by a number of factors unrelated to Covid-19 and is not on its own necessarily an indication of ill health (whether Covid-19 or otherwise).

Careful thought should be given if using these technologies to monitor an employee's past movements should they, at a later date, test positive for Covid-19. Monitoring in this way may reveal additional information about an employee's private life and to which they are entitled to a degree of privacy.

Collecting customer and visitor details for contact tracing

Finally, the ICO has published some guidance for those businesses that are being asked to collect contact details for customers, visitors and staff for contact tracing purposes. We cover that in more detail in our Insight guide for hospitality businesses.

If you would like to discuss the data protection issues that your organisation is encountering in relation to your response to Covid-19, please contact Martin Sloan, Grant Campbell or Rachel Lawson.

More information: