Many employers are working up their detailed plans for the return of staff to the
workforce. In determining the arrangements they need to put in
place to ensure employees’ health and safety in the workplace,
they will wish to take into account the recently issued Government guidance on safe working
Testing does not form part of the Government’s current
recommendations. However, many employers are giving thought to
whether they should conduct testing of employees in order to assist
them in fulfilling their duty of care towards their employees to
protect their health and safety – by ensuring so far as possible
that, as employees return to the workplace, they are not exposed to
colleagues who are infected with COVID-19. Employers may consider
carrying out temperature or other checks as part of their health
and safety measures – although taking employees’ temperatures
is generally acknowledged not to be a reliable test of whether a
person has COVID-19 and is not currently recommended by the
Government, Acas or the World Health Organization.
If an employer does decide that testing is necessary, it will
require consent from staff to undergo such a medical examination.
If testing is to take place, it should be applied to all employees,
as only testing certain groups who are perceived to be at a higher
risk of having contracted a virus could potentially lead to
discrimination claims. Employers will also need to determine,
potentially in conjunction with landlords and co-tenants, how
visitors to their premises will be dealt with.
Data protection and health information
From a data protection perspective, in the United Kingdom there
is no explicit prohibition on testing. Nonetheless, employers need
to be aware of and ensure that their approach complies with the guidance recently issued by the ICO on testing
(ICO Guidance). This guidance follows on from the
ICO’s earlier guidance confirming its
pragmatic approach to enforcement of data protection obligations
during the COVID-19 pandemic.
Lawful basis for testing
The GDPR and the Data Protection Act 2018 apply to the
processing of employees’ health data. Whilst health data
constitutes “special category data” for the purposes of
that legislation, the ICO Guidance confirms that processing of
health data by employers is permissible in general terms under the
data protection legislation by virtue of their health and safety
obligations – subject to the caveat that they must not collect or
share irrelevant or unnecessary data.
Minimum necessary relevant information
As is the case with any personal data, but is particularly
important with regard to health information as it constitutes
special category data, employers should collect and retain the
minimum amount of information needed for the purposes for which
testing is conducted. Unnecessary or irrelevant information should
not be collected.
In the context of testing, the ICO Guidance notes that
- Should be able to demonstrate the reason for testing
individuals or obtaining the results from tests.
- Should consider which testing options are available, to ensure
that they are only collecting results that are necessary and
- Will probably only require information about the result of a
test, rather than additional details about underlying
The GDPR “accountability principle” requires employers
to demonstrate their compliance with their data protection
obligations by way, for example, of record keeping. The ICO
Guidance recommends that employers should conduct impact
assessments in relation to their processing of personal data
associated with testing which should be reviewed and updated
regularly. The ICO Guidance reminds employers of its template risk
assessment and that a risk assessment should address:
- The activity being proposed.
- The data protection risks.
- Whether the proposed activity is necessary and
- The mitigating actions that can be put in place to counter the
- A plan or confirmation that mitigation has been effective.
Proper use of test results
The ICO Guidance confirms that, whilst employers can keep lists
of those that test positive for COVID-19, they should ensure that
the use of such lists does not result in any unfair or harmful
treatment of employees. Examples given include inaccurate
information being recorded, an employer failing to acknowledge an
individual’s health status changing over time and information
that has been gathered being used for purposes employees would not
Personal data gathered from testing should only be shared with
those within the employer’s organisation who need to process
the information in order to provide a safe working environment.
Transparency and communication
The ICO Guidance makes clear that employers should be clear,
open and honest with employees about how and why they wish to use
their personal data and what decisions they will make with any
information gathered from testing.
The ICO Guidance acknowledges that the exceptional circumstances
of the pandemic mean that it may not be possible for employers to
update the privacy information provided to employees in detail but
indicates that, before carrying out any tests, they should at least
inform staff of:
- What personal data is required.
- What it will be used for.
- Who the employer will share it with.
- How long the employer intends to keep the data for.
It would also be helpful for employers to provide employees with
the opportunity to discuss the collection of such data if they have
Security, confidentiality and retention
The ICO Guidance confirms that employers should ensure that any
data processing is secure and that they consider their duties of
confidentiality to employees. The ICO Guidance notes that these
obligations apply equally to test results voluntarily disclosed to
the employer as to information gathered from its own testing
Data should not be retained for longer than necessary so
employers need to address how they will ensure that this is
achieved bearing in mind their internal data retention
As data protection legislation requires employers to ensure that
the personal data they hold is accurate, the ICO Guidance indicates
that employers should record the date of any test results, because
the health status of individuals may change over time and the test
result may no longer be valid.
The ICO Guidance suggests that employers may wish to put
processes or systems in place to help employees exercise their
information and subject access rights during the COVID-19 crisis -
such as secure portals or self-service systems allowing staff to
manage and update their personal data where appropriate.
Thermal cameras and other surveillance
The ICO Guidance notes that, before considering the use of
thermal cameras or other surveillance for capturing health
information, employers need to give specific thought to the purpose
and context of, and justification for, their use – as well as
whether they can achieve the same results through other, less
privacy intrusive, means.
Alternatives to testing
As part of their risk assessments, and in determining whether
and on what basis to conduct testing, employers will wish to
consider alternative or additional measures which could
- Asking employees to measure their own temperature every day and
not come to work if it is above a certain level.
- Asking employees to report contact with confirmed or suspected
- Giving clear guidance about when employees should and should
not come to work.
Originally published May 20, 2020
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.