Up Again UK: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Temperature checks on entry to work premises are not currently recommended by the public health authorities or in the government’s COVID-19 secure guidance. Where this testing is not strictly necessary for an employer’s health and safety or duty of care obligations, there may be risks under both data privacy and employment laws to insisting on such checks. However, the level of risk will depend on the work environment and the employer’s management of the situation.

Despite testing not currently being recommended, it is understandable that employers may feel it would help protect the health and safety of staff and make them feel more confident about returning to work. The UK Information Commissioner (ICO) has issued guidance on data protection and the coronavirus pandemic indicating that data protection laws are not a barrier to employers carrying out temperature monitoring to check whether staff or visitors have symptoms of COVID-19. But the guidance is clear that GDPR and Data Protection Act 2018 will apply to any personal data processed as a result of any monitoring. Checking the temperature of staff or visitors involves the processing of special category data (i.e. health data), which would require a legal basis under both Article 6 and Article 9 GDPR. The ICO guidance clarifies that employers should be able to rely on Article 6(1)(f) GDPR – “legitimate interests” – as the legal basis for processing personal data as a result of temperature/health monitoring.

As the processing of health data requires a legal basis under both Article 6 and Article 9 GDPR, the ICO guidance indicates that employers may be able to rely on Article 9(2)(b) GDPR, along with Schedule 1 condition 1 of the DPA 2018, which applies due to employers’ health and safety obligations. The ICO guidance states that this condition will cover most of what employers need to do, as long as employers are not collecting or sharing irrelevant or unnecessary data.

Specifically in relation to temperature checks, the ICO guidance indicates that employers should consider the purpose and context of their use and be able to make the case for using them. It reminds employers that any monitoring of employees must be necessary and proportionate, and in keeping with their reasonable expectations; employers must also consider whether the same results are achievable through other, less privacy-intrusive, means. Employers should consider if they could, for example, encourage staff to check their own temperatures and warn that there may be disciplinary action if they fail to follow government guidance and attend work with symptoms. Employers intending to process health data of staff or visitors should take the following measures as a minimum to help minimise data protection risks:

  • Be clear, open and honest with employees/visitors from the start about how and why their personal data will be used and what decisions will be made with any testing information. Where possible, provide clear and accessible privacy information before any health-data processing begins and, as a minimum, let staff/visitors know what personal data is required, what it will be used for, and who it will be shared with before carrying out any testing.
  • Ensure any information processed as a result of testing is kept secure and confidential.
  • Limit the nature and volume of personal data processed to that which is absolutely necessary and proportionate.
  • Only retain information for as long as necessary and ensure that personal data processed remains accurate.
  • Carry out a data protection impact assessment to record the risks and mitigation steps taken before carrying out any testing.
  • Only use the information for health and safety management during the current coronavirus emergency situation.

From an employment perspective, requiring staff to have their temperature checked at work may not be a reasonable management instruction, given the absence of government or public health authority guidance recommending this. Staff who refuse a test and are sent home would be entitled to full pay. Disciplinary action is likely to be difficult to justify, and there would be a risk that a dismissal based on a refusal would be unfair.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

To effectively manage operations, health and safety and duty of regarding COVID-19, where it is proportionate and necessary to do so employees and visitors can be asked whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or have recently travelled to high-risk countries. The same legal basis set out in the section above applies.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Where it is proportionate and necessary to do so, an employer can ask employees to inform it if a member of their household has contracted COVID-19, or that they have the antigen, to effectively manage operations, health and safety and duty of care regarding COVID-19. However, employers must not collect more information than needed. For example, it is unlikely to be necessary to collect information about specific symptoms of each member of an employee’s household. Where reasonable to do so (taking into account health and safety and other employer duties and obligations), employers can ask employees to follow public health advice and stay at home if a family member has contracted COVID-19.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

The ICO has confirmed it is acceptable to make staff in a relevant area aware that there has been a confirmed case of COVID-19, where this is needed to take measures to track contacts and manage the impact. But the guidance says that naming the specific individual should be done only where genuinely necessary.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Yes. The ICO guidance confirms that if it is necessary to share information with authorities for public health purposes, then data protection law will not stop employers from doing so. The ICO guidance also goes further by stating that employers should take into account the risks to the wider public that may be caused by failing to share information.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Employees’ health data related to COVID-19 can be sent to an affiliate located outside EEA, but there must be a legal basis under both Article 6 and Article 9 GDPR for the transfer. Any transfer of personal data must also comply with transfer requirements under Chapter V GDPR.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

The ICO guidance does not rule out ongoing monitoring of staff, but is clear any monitoring of employees must be necessary and proportionate, and in keeping with employees reasonable expectations.

The Surveillance Camera Commissioner (SCC) and ICO have updated the SCC Data Protection Impact Assessment template, which is aimed at assisting employers when considering the use of thermal cameras or other surveillance during the pandemic. If any monitoring is carried out (where this is proportionate and necessary and there is a clear legal basis for doing so), employees must be clearly informed about the monitoring before it takes place.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

The ICO guidance is clear that the GDPR and UK Data Protection Act 2018 will apply to any personal data processed for the purposes of tackling COVID-19. There is no general waiver for compliance because of the public health emergency. However, the ICO has indicated that it recognises that the pandemic requires organisations to reassess priorities and its resourcing. As a result, the ICO will take a pragmatic approach where employers are doing what they can to comply with data protection rules and are genuinely trying to work to protect staff and customers/service users, manage and delay the virus in line with Public Health England and Scottish government advice, and manage operations accordingly.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

In the event of any enforcement action by the ICO, the ICO can:

  • issue administrative fines of up to EUR20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher; and
  • implement a range of other measures, including:
    • issuing warnings and reprimands, imposing a temporary or permanent ban on data processing;
    • ordering the rectification, restriction or erasure of data; or
    • suspending data transfers to third countries.

Any enforcement action by the ICO could also result in significant reputational damage in the event of publication of any enforcement action by the ICO on its website.