Work Place Temperature Testing
As employees are now being encouraged to return to work, if they cannot work from home, employers need to consider the measures they have in place to protect employees from contracting COVID-19.
One such measure that employers could consider is regularly testing employees by taking their temperature to establish whether the employee has or is presenting symptoms of the virus.
There are a number of considerations that employers need to consider if they wish to implement the testing of employees.
Data Protection and GDPR
As employers will be processing information that relates to an identified or identifiable individual, they will need to comply with the EU’s General Data Protection Regulation (GDPR) and the Data Protection Act 2018. That means a requirement to handle data lawfully, fairly and transparently.
Data protection law does not prevent employers from taking the necessary steps to keep employees safe and the public safe and supported during the present pandemic. But it does require employers to be responsible with employees’ personal data and ensure it is handled with care.
As long as there is a good reason for doing so, employers are able to process health data about COVID-19. Employers can argue that this type of processing is necessary because of an employment law obligation that the employer is subject to.
The obvious one in this context will be the legal duty under the Health and Safety Act 1974 to ensure, so far as is reasonably practicable, the health, safety and welfare of employees and those who may be affected by the employer’s activities, and the legal obligation to pay statutory sick pay.
To show that a method of processing of test data is compliant, employers would need to act in accordance with the accountability principle. This makes employers responsible for complying with the GDPR and says that employers must be able to demonstrate compliance (such as through additional record keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA)).
Data Protection Impact Assessment (DPIA) & Company Policy
If an employer is going to undertake testing and process health information, then they should conduct a DPIA focussing on the new areas of risk.
This DPIA should set out:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective
An employer should also consider creating a policy in relation to the testing process. This can be inserted into an employee handbook, and will clarify the employer’ approach towards the processing, use and retention of the data.
Collecting the correct amount of data
As part of the regulations employers must not collect too much data. Employers must ensure that the date they collect is:
- adequate – enough to properly fulfil the stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – they do not hold more than needed for that purpose.
Transparency with Employees
Employers should keep employees informed about potential or confirmed COVID-19 cases amongst their colleagues. However, employers should avoid naming individuals if possible, and should not provide more information than is necessary.