COVID-19: Health surveillance and data protection
Can an employer ask employees about the existence of any COVID-19 symptoms or diagnosis?
The ICO guidance confirms that an employer can ask an employee about COVID-19 symptoms where there is good reason to do so. In the current climate, this falls squarely into the bracket of protecting the health and safety of employees. Only the minimum amount of data should be collected and retained for the purpose identified and used only in a way that is necessary and relevant. As always, this data must be kept secure and confidential.
Can employers take temperature readings from employees?
Yes, if strictly necessary. Data protection law does not prevent employers from taking necessary steps to keep staff and the public safe. In the context of employees returning to the workplace, in carrying out temperature checks an employer may be able to rely on Article 9(2)(b) GDPR / paragraph 1 schedule 1 DPA 2018 as the lawful basis for processing, subject to consideration of other less intrusive means of monitoring.
In this context how can an employer ensure compliance with data protection principles?
Employers should carry out a Data Protection Impact Assessment and be able to demonstrate that thought has been given as to why intrusive means of monitoring employee’s health have been chosen. Monitoring must be proportionate. To ensure compliance with the principle of accuracy employers will need to carefully date all results as they will quickly become out of date as an employee’s health changes over time. The need for the information to be retained will need to be reassessed with secure deletions undertaken.
Can an employer keep a record of employees diagnosed with the virus and can the employer inform other employees about the diagnosis?
Yes, with some provisos. The ICO has flagged concerns about the potential misuse of this kind of information and an employer must be careful not to use details of an employee’s symptoms or diagnosis for any purpose which the employee concerned might not reasonably expect. Staff should be kept informed about cases within the organisation, but employers should consider whether this can be done without identifying a particular individual. This must be balanced between an employer’s duty of confidentiality and data protection obligations, and its duty of care as to the health and safety of employees. A blanket approach should not be adopted.