The Information Commissioner’s Office (ICO) has made it clear in various statements since the start of this pandemic that data protection laws, notably the GDPR (General Data Protection Regulation), do not prevent the sharing and use of health data.
However their other message has also been very clear – data protection rules still apply and so any processing of such health data must be done while respecting the data protection principles. As we move into the next phase of the pandemic – and in particular as employers look at how to deal with the return to work – new issues need to be addressed in terms of how much data an employer can and should collect. To aid in this regard the ICO has now published a question and answer series addressing what it considers to be the main concerns for employers when considering whether to undertake testing.
As special category data, health data requires a higher level of protection. Any processing must be justified on one of the general grounds for processing (for most employers this is likely to be the legitimate interest of the employer) as well as a special category ground. One of the special category grounds allows for processing related to employment and in addition to that, in the UK, the Data Protection Act 2018 also permits processing of special category data where it relates to an employer’s health and safety obligations.
In all cases these justifications only allow for collecting or sharing data which is relevant or necessary, and so it is important that steps are taken by the employer to identify and document what information it actually needs and why. It will also be important to identify what steps need to be taken to protect the security of the information being collected.
This need to document lies at the heart of data protection law – the GDPR introduced the requirement of accountability. Notwithstanding that COVID-19 brings new responsibilities for employers, the data protection rules must still be applied.
How to approach employee testing
One of the biggest concerns for employers relates to the extent to which they can and should carry out employee testing.
The ICO has set out that if employers are going to undertake testing and process health information then they should conduct a Data Protection Impact Assessment (DPIA), one of the accountability tools established in terms of the GDPR. The aim of doing the DPIA is to focus on the new areas of risk arising from the collection of this health data.
As noted by the ICO a DPIA should set out:
- “the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.”
As part of the need for accountability it is also important to be transparent with staff about what testing is being carried out, what the information is being used for and how long the information will be retained. It may be appropriate to update staff privacy notices, although the ICO is aware that with time pressures that may wait as long as staff are given the information by another route.
Accuracy of the information is key and the employer will need to record the testing results to ensure that they are updated as and when new tests are undertaken. Staff may also arrange their own tests and where such information is provided to employers, the employers have a duty to keep the information confidential and secure and to make clear the purposes for which it will be used.
Sharing health data
One of the more tricky areas will be around how the information about potential or confirmed cases is shared, particularly with other staff. For the most part there will be no need to identify individuals by name – and employers should ensure that their processes reflect this. However, it remains to be seen how this will interface with the contact tracing procedures that are to be put in place and the responsibilities that will undoubtedly be placed on employers once notified of a case in their organisation.
As already noted, the overriding message is to ensure that data protection laws are respected during this crisis. While the ICO may allow some leeway where timescales are unable to be met due to remote working, there will be no excuses accepted for ignoring the laws completely.