As governments across the world gradually ease lockdown restrictions, the ICO has issued a guideline on workplace testing to help employers. From temperature tests to asking employees to disclose if they’ve experienced Covid-19 symptoms, you want to make sure all your steps are fully compliant with GDPR as you take precautions to contain the spread of the virus.
To achieve this objective, we’ve outlined some of the key messages from the ICO’s guideline below:
Health information is deemed as ‘special category data’ under GDPR. As such, it is important that the medical information you collect is processed “lawfully, transparently and fairly.”
Do you need consent to conduct workplace testing?
Whilst the ICO has allowed for workplace testing when appropriate, it is recommended you get individual consent from employees before this happens. This impacts activity such as temperature screening or disclosure of symptoms. In addition, you must identify an Article 9 condition for processing special category data.
According to the ICO, the most relevant article in this case will be Article 9 (2) (b) relating to employment, social security and social protection law. This article is relevant for employers when ensuring the health, safety and welfare of employees. But it requires you to have an appropriate policy document in place.
Can you demonstrate compliance with GDPR?
A huge aspect of the ICO’s guideline is the ability to demonstrate compliance with GDPR. According to the watchdog, it is advisory to conduct a Data Protection Impact Assessment (DPIA). A DPIA will demonstrate accountability and can be proof of compliance if your practices are ever questioned. The process also helps you to identify and minimise data protection risks before conducting tests.
What does your DPIA need to show?
According to the guideline, your DPIA needs to show the following:
- The activity you want to do
- Data protection risks associated with your activity
- If the proposed activity is necessary or proportionate?
- Mitigating actions that can be put in place to counter risks
- A plan or confirmation that mitigation has been effective
It’s important that you get the help of an expert for your DPIA to make sure it is fully GDPR compliant. We offer DPIA assessments as part of our award-winning Data Protection Officer service. We make the process easy and seamless so you can be confident you are on the right side of the law. Get in touch with us for an initial consultation.
Are you collecting too much data?
Workplace testing to minimise the spread of coronavirus is not an opportunity to mass-collect data on employees. The ICO’s guidance is to collect and retain the minimum amount of information. You should also keep the following criteria in mind before you start,
- Is your data adequate – is it enough to properly fulfil the stated purpose?
- Is your data relevant – does your data have a rational link to that purpose?
- Is your data limited – are you only collecting information that is necessary and not holding more data than you need?
What are your duties to your employees?
As you collect data, be aware that you have duties to your employees. Firstly, you must process their data in a safe and secure way. Secondly, the information they provide to you should be kept confidential. Thirdly, the data you collect should not lead to discriminatory or unfair treatment. For example, if an employee has disclosed their Covid-19 status as positive, this information should not lead to a dismissal nor should it be disclosed unless necessary e.g. if contract tracing needs to happen.
When collecting or processing data related to the health status of your employees, maintain a transparent and open channel. Tell them how their health information will affect decision making. Have clear and accessible privacy information before data processing begins. To be fully confident your privacy notice is GDPR compliant, get in touch with us for a consultation.
Be open about the following:
- What data you are collecting
- Why you are collecting it
- How it will impact employees and general decision making
- How long you intend to keep the data
- Opportunities for employees to discuss concerns
- Channels for employees to update or manage data e.g. Subject Access Requests
Disclosing to third parties
As mentioned earlier, for the safety of other people, you may need to disclose if one of your employees has contracted the virus. Avoid naming the person if possible and if you do have to name them, do not provide more information than is necessary.
As explained in the ICO guideline, you have a duty to maintain a safe and secure workplace but it is important that data protection and privacy is also upheld.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.