Introduction
With the lockdown being relaxed and employees starting to return to work, there will be concerns, both for employers and employees, about the risk of coronavirus contagion within the workplace. This is particularly the case as: the Test and Trace system launched by the Government is suffering from some initial issues in relation to its efficacy; and the NHSX contact tracing app is still to be launched.
Consequently, some employers may wish to embark upon workplace testing for coronavirus as part of their risk assessment and mitigation measures. However, it is important to bear in mind that such testing cannot simply be put into place overnight. Employers thinking of implementing workplace testing should be planning for it now.
Alongside the HR and regulatory aspects relating to workplace testing, compliance with data protection laws is absolutely fundamental. Amongst the key principles which must be borne in mind are those relating to the processing of personal data in a lawful, fair and transparent manner.
The Importance of Data Protection Impact Assessments
The starting point should be to undertake a Data Protection Impact Assessment (DPIA). This will help formulate the various aspects of the data processing arrangements required, as well as identify risks and mitigation measures. Furthermore, the DPIA assists with demonstrating accountability under the data protection laws.
A number of requirements will need to be considered and determined as part of the DPIA, such as:
- a description of the processing operations in respect of the personal data, including:
– which personal data will be collected – this needs to be aligned with the legal requirements relating to ‘data minimisation’. Namely, only that data which is required to achieve the respective purposes is collected. The personal data which is gathered, also needs to be adequate, relevant and limited for such purposes. So, by way of example, it would be appropriate to record whether the result of a test is positive but it would not be appropriate to collect other underlying health information;
– how the personal data will be collected;
– how the personal data will be processed;
– how the data protection requirements for ‘accuracy’ will be upheld;
– who the personal data will be shared with (so data flows will also need to be considered);
– how and where the personal data will be stored;
– data retention arrangements, including how and when the personal data will be deleted;
- the purposes of the processing of the personal data – this is with data protection legal requirements relating to ‘purpose limitation’ being kept in mind. The purposes should be made clear to guard against the risk of subsequent unlawful ‘scope creep’;
- the lawful basis for the processing – ‘legitimate interest’ is likely to be the most appropriate lawful basis as, from a data protection legal compliance perspective, organisations will not be able to rely upon ‘consent’ from employees in such a workplace setting. This is due to the perceived ‘imbalance of power’ associated with the employer and employee relationship, meaning that consent cannot be said to be freely provided in such circumstances;
- the criteria being used to permit processing of health data (as health data falls within the scope of ‘special categories’ of data, and is therefore subject to a number of pre-requisites from both a GDPR and Data Protection Act 2018 perspective);
- an assessment of the necessity and proportionality of the processing operations to achieve the identified purposes. This would involve checking that only what is required to be done with the data is undertaken (including from a data flow, analysis and storage perspective, all as documented in the DPIA) to achieve the objectives of the testing exercise;
- an assessment of the risks to employees from the processing of their personal data; and
- the measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with data protection laws (so this would include aspects such as: user access restrictions to the data; encryption of the data; automatic data deletion following the retention period elapsing; limited circulation of the data; confidentiality measures being implemented and enforced).
Additional Data Protection Considerations
The above will also give rise to additional considerations, such as whether third party service providers are going to be used (including in respect of any Cloud processing or storage of personal data). In which case, further data protection considerations will need to be addressed, including:
- due diligence in respect of the third party service providers;
- data processing contracts, including compliance arrangements with the GDPR requirements for processor arrangements;
- whether such third parties are going to be processing the personal data outside the UK or Europe, in which case international data processing safeguards must also be implemented.
Furthermore, mandatory data protection registers, identifying data processing activities, will need to be updated to reflect this new process.
Transparency is Key
One of the key criticisms that has arisen in the media about the Government’s Test and Trace system, as well as the forthcoming NHSX app, has been the perceived lack of transparency about the processing arrangements. At the moment, such negative views seem to be undermining the Government’s efforts. By analogy, it is therefore important that transparency of processing requirements are complied with within the workplace regarding any proposed testing, not only to comply with data protection legal requirements, but also to reassure employees about how their data is being handled. This can be accomplished using the information gained from the DPIA to formulate privacy notices. Where appropriate, employees should also be consulted about the proposed processing of personal data as part of the workplace testing initiative.
Proper Purpose Consideration
With regard to the data which is being collected and the purposes for which it is being used, one has to think beyond just the initial test. Organisations need to consider what they are going to do with the outcome of that test for both positive and negative results. Where someone has tested positive and an organisation undertakes internal contact tracing to seek to determine who else may have come into contact with an infected employee, some quite significant privacy considerations arise. For example, how is the internal contact tracing going to be conducted and by whom? If internal CCTV footage is intended to be used for such purposes, then this will also need to be addressed in the DPIA. Another consideration is whether internal contact tracing can be undertaken without revealing the identity of the infected individual to co-workers. It has already been noted with the Government’s forthcoming NHSX contact tracing app, that there can be situations where the identity of an individual can be deduced by their contacts, if such contacts have only had a limited number of interactions with third parties. This may also give rise to similar issues within the workplace. Therefore, the DPIA needs to factor in such considerations.
Respecting and Factoring In Data Protection Rights and Compliance
It is also important that employees are able to exercise all of their applicable data protection rights, including subject access rights, with regard to any workplace testing processes. Factoring this into the process during its initial formulation will help ensure compliance with the mandatory requirements of the data protection laws. Furthermore, this guards against having time, cost and resource intensive procedures having to be subsequently deployed, where this is being addressed in a reactive rather than proactive manner at the outset. Again, such considerations will form part of the DPIA.
The above should illustrate why it is vital that organisations start preparing now for any prospective workplace testing arrangements, well in advance of any proposed start date for them.
Jagvinder Singh Kang, is a specialist technology lawyer, data protection lawyer and qualified software engineer. He is also the International Head of IT Law at the leading law firm, Mills & Reeve.