With the United Kingdom beginning to open up for business, Emma Burnett and Michael Joffe of CMS-CMNO discuss the key issues facing retail companies including workplace testing.
With the United Kingdom Government having confirmed that the peak of the Novel Coronavirus (COVID-19) is behind us, life in Britain is beginning to move towards some kind of normality. On 10 May 2020, the Prime Minister set out a phased approach for the lifting of social and economic restrictions – with the key priority of restarting the British economy. Of particular interest to those in the retail sector, was the re-opening of “non-essential” retail stores from 15 June 2020.
While the UK Government’s guidance remains that, where possible, employees should work from home, those who are not able to do so are being encouraged to return to their places of work. For employers looking to reopen their workplaces, this has led to a number of questions regarding what they can, and should, do to protect the health and safety of their employees and minimise the spread of COVID-19. One such method, which is gaining the attention of our clients, is workplace testing; most notably, testing to see whether an employee has COVID-19 or employee temperature testing.
Testing of any kind would, in almost all cases, require an employer to process the personal data of their employee. In most circumstances, this would involve the processing of health data (e.g. whether an employee has COVID-19 or an employee’s temperature). Health data is ‘special category data’ under the General Data Protection Regulation (GDPR) and, accordingly, subject to stricter regulation. It is therefore crucial that employers who are considering implementing such testing consider and understand their obligations under data protection law.
What does the GDPR and Data Protection Act 2018 (DPA) say about workplace testing?
Employers have an obligations under work health and safety law to protect the health of their employees and manage health and safety risks in the workplace. Accordingly, and to the extent necessary for the purpose of meeting this obligation, employers are likely to have a lawful basis under the GDPR and DPA for collecting and processing an employee’s COVID-19 status and/or temperature. Given the particular sensitivities around processing health data, employers should, among other things:
• limit the processing of such data to the extent truly necessary;
• ensure they have undertaken the requisite risk assessments, including a data protection impact assessment (DPIA); and
• put in place an appropriate policy document.
The DPIA and nature of the appropriate policy document will depend on the specific testing procedure sought to be implemented. Both these will need to address, and require a careful evaluation of, a number of factors, including the particular risks associated with the intended processing, how the processing complies with the GDPR’s principles and the employer’s retention and erasure procedures.
What guidance has been published by the UK’s Information Commissioner’s Office (ICO)?
In anticipation of employees returning to the workplace, ICO recently published guidance for employers on the data protection considerations for workplace testing. The guidance does not amount to a blanket approval of workplace testing but indicates that ICO will be broadly comfortable with such testing if the relevant requirements are met. A summary of the key points is set out below:
• (Data protection law is not a roadblock) Data protection laws do not automatically prevent employers from undertaking workplace testing to keep their staff safe during the COVID-19 pandemic. The message from ICO is that employers need to carefully navigate the requirements of UK data protection law.
• (Transparency is key) A clear, open and honest approach with employees is crucial when processing health information. Before carrying out any tests, employers should ensure staff clearly understand what personal data will be collected, what it will be used for and how it will be shared.
• (Maintaining accountability) Employers are required to demonstrate compliance with the GDPR when processing personal data. Accordingly, employers should adopt appropriate record keeping processes. When processing health data, employers should be mindful of the additional safeguards required by the DPA and ensure these are satisfied within their general Article 30 records of processing activities obligations.
• (Keeping lists of employees who have symptoms or test positive) An employer can maintain a list of employees who have symptoms or test positive for COVID-19 if this is necessary for the stated purpose. Employers should ensure any record health data is kept secure and does not result in any unfair or harmful treatment of employees.
• (Sharing testing outcomes with other employees) Employers should adopt an approach that keeps their staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, care should be taken to avoid naming individuals if possible (for example, by simply informing employees that they may have been exposed to someone who has COVID-19). Employers should ensure that any information which is shared is accurate (e.g. employers should not convey that the employee has COVID-19 simply because they have a high temperature as this may be due to a different illness or virus).
What other factors should employers consider when deciding whether, and how, to implement workplace temperature testing?
The type of workplace and number of employees will be key considerations for employers. Workplaces where staff have fewer interactions and/or are able to maintain social distancing are less likely to facilitate the spread of the virus and, accordingly, may warrant (if at all) lower or less intrusive testing. Other questions which employers should consider include:
• (Means of temperature testing) How will I actually take the temperatures of my employees? Can I use thermal imaging or should I use thermometers? If I use thermometers, who will take the test – the employees themselves or a company doctor? ICO emphasises that employers should adopt an approach to testing that is proportionate and necessary. Thermal imaging is not prohibited, but employers should consider whether less intrusive means would be effective.
• (Excessive data collection and retention) What health data do I actually need to maintain a safe workplace? How long (if at all) will I keep the data for and how will it be stored? What steps should be taken if an employee returns a positive test or high temperature? Negative test results and normal temperatures should not be recorded as there is no need to do so.
• (Testing of non-employees e.g. customers, visitors etc.) Will I require non-employees who attend the workplace to also undergo testing? Is it appropriate to rely on the same legal basis for processing the health data of non-employees? It may be the case – particularly in the context of retail stores – that social distancing, hand sanitiser stations and providing visitors with face masks could be sufficient to reduce the risk of the virus spreading.
• (Alternatives to preventing the spread of COVID-19) Are there other measures which I can instead take to protect the health and safety of my employees? As noted above, social distancing measures (such as not operating all cash registers, marking out a route for customers to follow in-store and limiting the number of employees or customers in-store at any one time) could be sufficient to prevent the spread of COVID-19.
As lockdown measures are eased, workplace testing will be one of many considerations for businesses as they re-open. As the coronavirus pandemic is constantly evolving, any measures implemented with regards to testing of employees should be kept under review to ensure it continues to be justifiable in relation to circumstances existing at the time.
Emma Burnett and Michael Joffe are lawyers at CMS-CMNO. For further information contact firstname.lastname@example.org.