Workplace testing for coronavirus - data protection considerations can’t be factored in overnight

Consequently, as part of employers’ risk assessment and mitigation measures within the workplace, some may wish to embark upon workplace testing for coronavirus. However, it is important to bear in mind that this cannot simply be put into place overnight. Therefore, employers thinking of implementing workplace testing, should be planning for it now.

In addition to HR and regulatory aspects relating to workplace testing, compliance with data protection laws is absolutely fundamental. Amongst the key principles which must be borne in mind, are those relating to the processing of personal data in a lawful, fair and transparent manner.

The Importance of Data Protection Impact Assessments

The starting point to assist with designing processes and procedures for workplace testing with privacy in mind, would involve undertaking a Data Protection Impact Assessment (DPIA). This will help with formulating the various aspects of the data processing arrangements, as well as identifying risks and mitigation measures. The DPIA also assists with demonstrating accountability under the data protection laws.

A number of requirements will need to be considered and determined as part of the DPIA, such as:

• A description of the processing operations in respect of the personal data - including:
  • Which personal data will be collected – this needs to be aligned with the legal requirements relating to ‘data minimisation’, ie only that data which is required to achieve the respective purposes is collected (with the collected personal data being adequate, relevant and limited for such purposes)
  • How the personal data will be collected
  • How the data protection requirements for ‘accuracy’ will be upheld
  • Who the personal data will be shared with (so data flows will also need to be considered).
  • How and where the personal data will be stored
  • Data retention arrangements, including how and when the personal data will be deleted

• The purposes of the processing of the personal data – this is with data protection legal requirements relating to ‘purpose limitation’ being kept in mind, ie that the purposes are made clear, to guard against the risk of subsequent unlawful ‘scope creep’.
• The lawful basis for the processing – ‘legitimate interest’ is likely to be the most appropriate lawful basis, considering that from a data protection legal compliance perspective, organisations will not be able to rely upon ‘consent’ from employees in such a workplace setting.
• The criteria being used to permit processing of health data (as health data falls within the scope of ‘special categories’ of data, and is therefore subject to a number of pre-requisites from both a GDPR and Data Protection Act 2018 perspective).
• An assessment of the necessity and proportionality of the processing operations to achieve the identified purposes.
• An assessment of the risks to employees from the processing of their personal data.
• The measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with data protection laws.

Additional Data Protection Considerations

The above will also give rise to additional considerations, such as whether third party service providers are going to be used (including in respect of any Cloud processing or storage of personal data). In which case, further data protection considerations will need to be addressed, including:

• Due diligence in respect of the third party service providers.
• Data processing contracts, including compliance arrangements with the GDPR requirements for processor arrangements.
• Whether such third parties are going to be processing the personal data outside the UK or Europe, in which case international data processing safeguards must also be implemented.

Furthermore, mandatory data protection registers, identifying data processing activities, will need to be updated to reflect this new process.

Transparency is Key

One of the key criticisms that has arisen in the media about the Government’s Test and Trace system, as well as the forthcoming NHSX app, has been the perceived lack of transparency about the processing arrangements. At the moment, such negative views seem to be undermining the Government’s efforts. By analogy, it is therefore important that transparency of processing requirements are complied with within the workplace regarding any proposed testing, not only to comply with data protection legal requirements, but also to reassure employees about how their data is being handled. This can be accomplished using the information gained from the DPIA, to formulate privacy notices. Where appropriate, employees should also be consulted about the proposed processing of personal data as part of the workplace testing initiative.

Proper Purpose Consideration

With regard to the data which is being collected and the purposes for which it is being used, one has to also think beyond just the initial test. Organisations need to consider what they are going to do with the outcome of that test, both positive and negative results. In addition, where someone has tested positive, if an organisation is going to be undertaking internal contact tracing to seek to determine who else may have come into contact with an infected employee, this gives rise to some quite significant privacy considerations as well. For example, how is the internal contact tracing going to be conducted and by whom? If internal CCTV footage is intended to be used for such purposes, then this will also need to be addressed in the DPIA. Another consideration is about whether internal contact tracing can be undertaken without revealing the identity of the infected individual to co-workers. It has already been noted with the Government’s forthcoming NHSX contact tracing app, that there can be situations where the identity of an individual can be deduced by their contacts, if such contacts have only had a limited number of interactions with third parties. This may also give rise to similar issues within the workplace. Therefore, the DPIA needs to also factor in such considerations.

Respecting and Factoring In Data Protection Rights and Compliance

It is also important that employees are able to exercise all of their applicable data protection rights, including subject access rights, with regard to any workplace testing processes. Factoring this into the process during its initial formulation will help ensure compliance with the mandatory requirements of the data protection laws. Furthermore, this guards against having time, cost and resource intensive procedures having to be subsequently deployed, where this is being addressed in a reactive rather than proactive manner at the outset. Again, such considerations will form part of the DPIA.

The above should illustrate why it is vital that organisations start preparing now for any prospective workplace testing arrangements, well in advance of any proposed start date for them.

This article has also been published in the leading technology journal by SCL, Computers & Law.