UK ICO Offers Guidance On Back-To-Work Data Privacy Issues | Fox Rothschild LLP

The United Kingdom’s Information Commissioners Office has issued guidance for employers on data protection issues related to the return to the workplace as part of the COVID-19 “new normal.”

General Principles

Legal Basis

  • Testing for symptoms is processing of personal data and subject to the General Data Protection Regulation (GDPR).
  • For private employers, legitimate interests is likely to be the appropriate legal basis for processing
  • For health data, employers must also identify an Article 9 condition for processing (e.g Article 9(2)(b) – employer’s obligations on health and safety).

Data Minimization

  • For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfill your purpose.
  • In order to not collect too much data, you must ensure that it is: adequate – enough to properly fulfill your stated purpose; relevant – has a rational link to that purpose; and limited to what is necessary – you do not hold more than you need for that purpose.


  • Be clear, open and honest with employees from the start about how and why you wish to use their personal data.
  • Have clear and accessible privacy information in place for employees, before any health data processing begins.
  • The ICO recognizes that in some cases it may not be possible to provide detailed informationi in advance.

Data Subject Rights

  • Ensure that staff are able to exercise their information rights.
  • Put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis.
  • For example, setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate.

Employee Testing: Possible, But


  • Be clear about what decisions you will make with that information.
  • Before carrying out any tests, you should at least let your staff know:
    • what personal data is required
    • what it will be used for
    • who you will share it with
    • how long you intend to keep the data
  • If possible, provide employees with the opportunity to discuss the collection of such data if they have any concerns.

Data Protection Impact Assessments (DPIA)

You should conduct a DPIA for the testing. This DPIA should set out:

  • the activity being proposed
  • the data protection risks
  • whether the proposed activity is necessary and proportionate
  • the mitigating actions that can be put in place to counter the risks
  • a plan or confirmation that mitigation has been effective

Data Minimization

  • For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions.
  • Consider which testing options are available, to ensure that you are only collecting results that are necessary and proportionate.
  • As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.

Temperature Checks/Thermal Cameras: Possible, But

  • As this is more intrusive technology, give specific thought to the purpose and context of its use and be able to make the case for using it.
  • Make sure that any monitoring of employees is necessary and proportionate, and in keeping with their reasonable expectations.
  • Think about whether you can achieve the same results through other, less privacy-intrusive means. If so, then the monitoring may not be considered proportionate.
  • You can use the surveillance camera DPIA template to this end.

Maintaining Lists of Employees who Tested Positive: Possible, But

  • Ensure the use of the data is actually necessary and relevant for your stated purpose.
  • Ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.
  • Ensure that such lists do not result in any unfair or harmful treatment of employees (e.g. from inaccurate data or data which isn’t up to date).
  • Don’t use the data for any purpose which is not reasonably expected.

Disclosing an Employee’s Condition: Possible, But

  • Keep staff informed about potential or confirmed COVID-19 cases among their colleagues.
  • However, you should avoid naming individuals if possible.
  • Do not provide more information than is necessary.

Receiving Test Results from an Employee: Possible, But

  • Have due regard to the security of that data.
  • Consider any duty of confidentiality owed to those individuals who have provided test results.
  • Make sure your use of the data is necessary and relevant.
  • Do not collect or share irrelevant or excessive data to authorities if this is not required.

Additional Information

UK ICO: Workplace Testing – Guidance for Employers

[View source.]

Source link

Leave a comment