As the Government continues to ease lockdown restrictions and organisations are increasingly welcoming staff back into their premises, it is understandable why many employers are introducing testing in the workplace to determine whether any of its staff have, or may have, COVID-19 – widespread transmission of the disease throughout the workforce would have an inevitable and significant impact on a business.
Carrying out testing on your workforce is not mandatory nor is it explicitly recommended by the Government. That doesn’t mean you shouldn’t do so; however, it is key that testing is conducted responsibly and with your data protection obligations in mind. We set out below answers to a number of FAQs:
- Do we need to obtain consent to test a worker? Yes – to do otherwise could amount to a serious breach of contract and lead to complaints including, at worst, constructive unfair dismissal. Practically speaking, if clear reasons for testing are given to staff (i.e. to minimise the risk of transmission and avoid business closure), they are likely to be forthcoming with consent.
- Do we need to test everyone? Yes – applying testing consistently to all staff will limit the risk of any discrimination or bullying complaints.
- What if a worker refuses to consent? Individuals have the right to refuse their consent. However, depending on the circumstances, it may be arguable that the requirement to undergo testing is a reasonable management instruction to enable you to comply with your legal obligation to ensure the health and safety of staff and a safe system of work.
- Can we send a worker home if they refuse consent? Yes, however taking such action would be akin to suspension and, therefore, should be reasonable and proportionate. Suspension should be for as short a period as possible; if a worker continues to refuse their consent, appropriate follow up action should be taken without delay (see below).
- Can we take disciplinary action against a worker who refuses to consent? A failure to follow a reasonable instruction without good explanation could lead to disciplinary action. However, whether you should in fact take action will depend on the circumstances, including whether the worker is contractually obliged to the take a test (and therefore in breach of contract by refusing to do so), whether it is, in fact, reasonable for you to request that the worker is tested in the circumstances, and the reason for the worker’s refusal.
In any event, disciplinary action shouldn’t be an automatic response or openly used as a threat in order to coerce individuals into being tested. To do otherwise may risk an argument that consent was not freely given.
- What if a worker fails a test? They may be discreetly asked to leave the premises (or told not to come into work) and told to self-isolate in accordance with Government guidelines, either working from home if they are able and well enough to do so, or on sick leave. You should maintain a record of all staff sent home for failing a test, in accordance with data protection requirements under the GDPR.
- What if a worker refuses to leave the premises? They should not be physically or forcibly removed. Rather, you should seek to persuade them to leave on their own accord. If that doesn’t work, we would suggest taking advice before taking any further action. You may consider disciplinary action against the staff member when s/he returns to work for failing to follow a reasonable instruction (bearing in mind the factors outlined above).
- What are the data protection considerations under the GDPR? The act of recording a worker’s test results (even if just noting whether it is a pass or fail), as well as any subsequent action taken, is likely to amount to “special category personal data” under the GDPR, unless kept completely anonymous.
“Special category personal data” can only be processed on certain grounds. The least risky approach would be to obtain an express written statement of consent from each worker, ideally on a form which includes clear details as to how you will comply with your data protection obligations. You cannot not rely on worker’s affirmative action as means of explicit consent. Likewise, a generic form of consent in a contract of employment relating to health checks is unlikely to be sufficient for data protection purposes.
In any event, you should be able to rely on the lawful ground of “necessary” processing for compliance with your legal obligation of ensuring the health, safety and welfare of staff as long as the processing is, in fact, necessary.
- What does the ICO say about testing the workforce for COVID-19? The ICO has issued its own guidance in relation to the data protection issues associated with employers carrying out testing on its staff (click here to read the ICO guidelines). The key points are:
- Data relating to an individual’s health should be treated carefully; you should not collect more information than is necessary and proportionate;
- If the same results can be achieved through other, less privacy intrusive means, the processing in question may not be considered proportionate. In order to combat such an assertion, you should record your thought process, for example in a Data Protection Impact Assessment (see further below), as to why such less intrusive means would not necessarily achieve the desired outcome of keeping your staff safe;
- Any information that is collected must be kept securely and must be accurate;
- With specific reference to temperature checks (and other “intrusive technologies”), you should give specific thought to the purpose and context of such checks and be able to justify their use;
- Testing needs to be in keeping with your staff’s reasonable expectations. Here, the key is transparency; to this end you should update (and keep under review) your Staff Privacy Notice in light of any new personal data that you are processing.
- What steps can we take to show compliance with our data protection obligations? You should undertake a Data Protection Impact Assessment (DPIA) to document your decision-making in connection with the processing of personal data in relation to testing staff (and any measures you are taking as a result of the pandemic generally). The DPIA should be regularly reviewed and updated.
If you have any questions regarding this please get in touch with the team at firstname.lastname@example.org