Employers must be ‘lawful, respectful and transparent’ in how they collect and process test data, says the ICO Shutterstock
The Information Commissioner’s Office has published guidance on how employers should handle data if they decide to test employees for Covid-19.
It reminds organisations that they still need to comply with General Data Protection Regulation (GDPR) and the Data Protection Act, which requires them to handle it “lawfully, respectfully and transparently”.
They can keep lists of employees who have either had symptoms or tested as positive, but need to ensure that the processing of this data is “necessary and relevant for the stated purpose”.
However, they must also make sure that such lists do not result in unfair or harmful treatment of employees – individuals’ health status will change over time and information could become inaccurate, the ICO advises.
If they’re sharing information with the wider workforce, they should avoid naming individuals where possible, and not provide more information than is necessary.
Because test data is sensitive medical data, it is classed as “special category data”, so subject to more stringent protection requirements. These include producing a data protection impact assessment (DPIA) and keeping detailed records of how data is categorised and documented.
The DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the activity is necessary and proportionate;
- how risk will be mitigated; and
- whether risk mitigation has been effective.
Organisations must also meet a number of conditions if they wish to process testing data – these include explicit consent from the individuals concerned and reasons for processing, such as public health or for employment protection. Essentially, “as long as there is good reason for doing so”, according to the ICO.
Employers can show that their processing of test data is compliant by using the ICO’s accountability principle, a checklist that enables them to see if they are compliant with GDPR and data protection legislation.
The ICO warns employers against collecting too much data, reminding them it “is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose”.
Where staff have arranged tests for themselves, employers should have “due regard to the security of that data” if workers have disclosed the results. If employers are considering additional measures such as temperature checks or thermal cameras on site, they must give “specific thought to the purpose and context of its use”, and make a case for collecting such data, says the ICO.
Transparency is crucial regarding any data related to testing, the ICO advises. Employers could consider setting up secure portals or self-service systems so staff can manage and update their personal data where appropriate.
The Office adds that it will continue to take a “strong regulatory approach” against any organisations breaching data protection laws to take advantage of the crisis, but acknowledges that employers’ stretched resources at the moment could impact their levels of compliance.
For example, some organisations may see a rise in Subject Access Requests from employees keen to know how their data has been used, but struggle to respond due to immediate priorities. The ICO says it will take this into account before taking formal enforcement action.
Workforce planning opportunities on Personnel Today
Browse more workforce planning jobs