In the last few months our employment team and specialist data protection team have received many questions from employers about implementing temperature testing or thermal imaging for employees in the fight to keep their work spaces and employees protected from Coronavirus.
With Covid-19 tests now more freely available, many employers, particularly those in high risk sectors, are looking at introducing Coronavirus tests for staff. As many more businesses re-open in the coming weeks it is likely other businesses will follow suit and may start taking temperatures of staff and customers / guests of businesses – but what are the privacy implications?
Employee monitoring and processing of health information has always been a tricky area which requires careful consideration. We may be in a global pandemic and introducing new systems which impact on privacy in these exceptional circumstances may well be justified and proportionate – but it is important that businesses do not make snap decisions or assumptions but consider data protection considerations in the normal way. This means documenting their thought process and decision making to comply with the accountability obligations under GDPR.
Businesses will need to carry out a Privacy Impact Assessment
The first step to consider in implementing any type of employee monitoring is to carry out a privacy impact assessment.
A privacy impact assessment allows an organisation to identify and minimise the risks posed to data subjects when carrying out a new project. Under GDPR you must do a Privacy Impact Assessment before you begin any type of processing that is likely to result in a high risk to the rights and freedoms of individuals.
It is advisable to always carry out a Privacy Impact Assessment when you are looking at new technology solutions which will process personal data due to the risks involved. Temperature testing is a high risk activity and should only be carried out once a Privacy Impact Assessment has been carried out. This is an important step and should not be ignored.
What should I consider?
Health information is Special Category data
As part of the Privacy Impact Assessment you need to consider your lawful basis for processing information about an employee’s temperature. Whilst a person’s temperature may seem like inconsequential information, someone’s temperature is health information and is therefore a Special Category of Data which is given higher protection under GDPR.
A temperature can reveal other health information about an individual. It may be necessary for you to collect other health information to interpret the results (for example an individual may have another non-covid related reason for a slightly elevated temperature), although somewhat confusingly, the ICO advises against collecting other health information if you can.
To process Special Category data you need a condition of processing and a lawful basis. Many employees are seeking consent to these activities but consent is rarely likely to be the correct lawful basis in an employment relationship, as employees rarely have a free choice. Effectively, if they want to keep working they will feel they have to consent. This is not freely given consent required under GDPR. You will therefore need to look at the other lawful bases in the employment context. If legitimate interests of a business is to be relied upon as a lawful basis it is important that a legitimate interests assessment is carried out and documented.
Your GDPR obligations
Any monitoring of employees needs to be necessary and proportionate, and you need to consider the reasonable expectations of the data subjects and ensure they are informed of how you will process their personal data and why – this is key to your transparency obligations under GDPR. In looking at proportionally it is important you consider whether less intrusive methods can be used to achieve the same aim.
You also need to consider where the data collected will be stored and for how long and ensure a policy is in place for this. For example, will you be keeping historic records of temperatures or not?
Whilst employee testing may help in getting people back to work safely it is important employers don’t forget their data protection obligations during this time.
Communication & HR
At a time when employees may already be anxious about returning to work and emotions are running high, it is more important then ever that new initiatives are handled sensitively and in compliance with applicable law. Data protection should not be seen as a barrier to these types of monitoring (which might not normally be proportionate but may be appropriate in the current climate) but it is important that businesses follow correct processes and implement appropriate policies first.
If you decide to implement such measures it is important they do not automatically become the new norm and that they are kept under continuous review to ensure they remain proportionate and necessary. Your Privacy Impact Assessment should be reviewed and updated regularly.
In planning such tests it is also sensible to think what you will do if either someone has a temperature or positive Covid-19 result. Clearly you may need to ask them to self-isolate but be clear on what you will pay them during this and who that data will be shared with. You also need to consider how you will handle any person refusing to take the tests. This can be a tricky matter especially if other staff feel unsafe as a result. It is important to have your HR processes all ready to deal with such events.
Stephens Scown have helped many organisations with implementing such measures and have significant experience in this area – please get in touch today if you would like assistance with implementing testing in your business.