On Saturday 31 October 2020, the government announced that England will be on lockdown from 5 November 2020 for a period of 4 weeks. It is important to note that for many workers, it is not possible to work from home, meaning that many will still need to attend their workplace. Given the increased risk of COVID-19, many businesses will need to give careful consideration to their obligations in keeping their workplace safe, which may involve the implementation of measures such as; temperature checking, testing for COVID-19 etc.
Overview of Health data:
The main law governing data and its processing, is the Data Protection Act 2018 (“DPA”) and the General Data protection Regulations (“GDPR”).
Health data is classified as special category data. This means it is subject to a greater level of protection than ordinary personal data. Importantly, it raises the bars for legal processing as two grounds of processing are required; one under Article 6 (“Art.6”) and the other under Article 9 (“Art.9”).
When considering the lawful grounds to process health data, you must have a valid lawful basis in order to process personal data. The lawful bases for processing are set out in Art.6 of the GDPR, the most common grounds being, that it is: (1) necessary for an organisation’s legitimate interests, (2) necessary for the compliance with a legal obligation (law, not contractual obligations), or (3) necessary for the performance of a contract . Once you have established your Art.6 ground, you need to make sure it is documented and that the individuals are made aware.
Next, you must look at the additional grounds to process special category data under Art.9. As with Art.6, you only need one ground. There are numerous Art.9 grounds, but very few of them will be applicable in this context. For the purposes of health data, the most common grounds are likely to be: (1) explicit consent, or (2) necessary to carry out rights and obligations under employment law. Once you have established your Art.9 ground, you need to make sure it is documented and that the individuals are made aware.
In addition to Art.6 and Art.9 grounds you are required to have an appropriate policy document in place. If your privacy notices were drafted prior to the COVID-19 pandemic, you may wish to update it if you are looking to collect data surrounding COVID-19.
Once you have decided upon your legal basis, you must consult and engage with the individuals and explain what you are collecting and why. Ensure you keep data to a minimum. A Data Protection Impact Assessment (“DPIA”) may assist.
DPIA’s are used to assess the impact of data processing activities on the protection of personal data. It helps ensure that organisations consider the privacy by design requirements of the GDPR. The ICO’s guidance on workplace testing recommends that a DPIA is conducted before that testing is put in place.
Can you temperature test your employees and visitors?
Many organisations have started to temperature test employees and visitors due to the COVID-19 pandemic. However, in most cases, this is probably not lawful. The ICO state that, “Taking a temperature involves the processing of personal data even if no information is recorded.” This may seem strange, however, the definition of “processing” is very wide and includes the mere collection or use of data, no matter how brief. Even if the person taking the recording does not know the person whose temperature is being recorded, they may still be identifiable to the controller (especially if that person is a worker, or is a visitor to the premises). Therefore the ICO has not said that you cannot temperature test employees or visitors, however, they have said that you must have “a stronger justification, and should be considered as a potentially intrusive technique.”
The government guidance on COVID-19 testing in the workplace, does not cover temperature checks or the use of thermal cameras as a means of testing staff. The Medicines and Healthcare products Regulatory Agency (“MHRA”) has noted that there is little scientific evidence to support temperature testing as reliable method of detecting COVID-19. In the MHRA’s press release of 3 July 2020, they state that “temperature readings from temperature screening systems will measure skin temperature rather than core body temperature… natural fluctuations in temperature can occur among healthy individuals. These readings are therefore an unreliable measure for detection of COVID-19”.
However, if you decide that this is something you wish to do, then you must go to Art.6 and Art.9 for your fair and lawful grounds for processing and must also ensure that you have an appropriate policy document in place.
Can you test your employees and visitors for COVID-19?
As with any type of processing that involves special category data, you need to ensure that you have a valid legal basis under both Art.6 and Art.9. You may find your organisation finds difficulty in overcoming the “necessity” hurdle when determining grounds under Art.6 and Art.9; which is where the challenge may lie in determining whether COVID-19 tests are necessary. The ICO has released guidance on this and have said there are a number of factors that must be considered when making the necessary assessment. This includes: the type of work that the employees do, the type of premises that the employer has, whether working from home is possible and the effectiveness of the chosen test at providing accurate results.
Our view is that it will be difficult for most companies to argue that COVID-19 tests are necessary for two main reasons. The first being that in white collar environments, there are other less intrusive measures that can be taken to ensure a COVID-19 safe and secure working environment. For some organisations, such as factories and schools there may be more of an argument that testing is necessary if employees are often in close contact with one another. The second reason, is that COVID-19 workplace testing has not been deemed to be necessary by the UK government. It may therefore be difficult to argue that this type of testing is justified in all settings, given that it is not in line with current government guidance.
Can you use CCTV to determine whether somebody has been in “close contact” with somebody who has tested positive for COVID-19?
The ICO has stated that, “in the context of COVID-19, we recognise that analysis of CCTV footage could assist with contact tracing and enable others to self-isolate. You should assess whether this is necessary in the specific circumstances and consider speaking to the individuals who would be affected about the use of CCTV and to provide advice on appropriate measures such as self-isolation. Analysis of CCTV footage could reveal sensitive aspects of an individual’s behaviours and relationships. Employees have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.”
Before any CCTV footage is used, personal data needs to be collected in a lawful manner, therefore you would look to Art.6 and Art.9.
You would further need to consider whether you have separate privacy notices for CCTV footage, if so, they may need to be reviewed, updated and re-issued to those whose personal data may be used to determine who has been in close contact. If you have legal basis to use CCTV, but have not updated your privacy notice, it is highly likely that there will be a breach of the fair and lawful processing principles.
In practice, using CCTV to determine who an employee has been in contact with throughout the working day may be a lengthy and potentially inaccurate process (an example being if your CCTV does not cover every part of the premises). Other methods should be considered, such as seating plans, records of office attendance or to have discussions with the office manager or someone with responsibility for employee welfare who was in the office on the day in question.
It is important to remember when notifying individuals that someone has tested positive that data minimisation principles still need to be followed. The ICO states that wherever possible, organisations should make the necessary notifications without naming the individual who has tested positive. The ICO has a CCTV code of practice; although this has not been updated since the Data Protection Act 2018 became law. However, it does set out useful guidance and states that CCTV use “will need to be justified and shown to be necessary and proportionate”.
Can we force employees to download the NHS Track and Trace app?
No. You can encourage your employees to download the app but use of the app is voluntary; you cannot force employees to use it.
What are the privacy implications of working from home?
There has of course been a huge increase in working from home since lockdown. The government guidance from the 22 September 2020 is that those who can work from home, do so. Since March, home workspaces have been created very quickly with some employees sharing workspaces with others; which is not ideal for organisations as it could give rise to confidentiality and data protection issues.
Data controllers find they now have less control over data leaving the office. They need to ensure that data is properly safeguarded. There is ICO guidance on this, which includes a checklist of the sort of things that need to be taken into account (e.g. fishing threats/ cyber security considerations). https://ico.org.uk/for-organisations/working-from-home/
The ICO state that employees should be trained on privacy issues. They also acknowledge that work from home environments were set up quickly but software choices should be reviewed where time permits and made more secure.
What are the legalities surrounding monitoring software and other tools for assessing productivity?
The first thing to note is that covert monitoring to assess productivity is unlawful. It is only acceptable in very limited circumstances, such as serious criminal investigations where the intention is to get the police involved at some point. Any other type of monitoring will need to be overt.
Back in 2017, the Article 29 Working Party (then) released an opinion on data processing at work. The opinion specifically talks about the boundaries between home and work becoming increasingly blurred. It explains the importance of having a plain English and readily accessible employee monitoring policy so that employees understand exactly how they are being monitored and the consequences of it. The opinion also suggests that the emphasis should be on prevention rather than detection. Therefore, organisations should spend more time promoting productivity and good working practices rather than trying to catch people out.
The opinion further says that in order to mitigate the risk of an employee working from home and not being around the physical security measures of the office, employers may believe there is a justification for using software that can log key strokes/mouse movements / capture screens or log how often people spend on certain applications etc. But the opinion says that this is disproportionate and the employer is unlikely to have legal grounds under the legitimate interest basis.