Returning to work and data protection: The golden rules
We are seeing daily media images and reports of people being tested by thermal imaging cameras and undergoing temperature checks as a condition for entering a workplace or public building. Using these measures in your business needs careful planning and will be unlawful without the appropriate policies and assessments.
You cannot implement effective workplace temperature or infection testing without collecting and sharing personal data. The ICO has recently issued guidance on what it expects you to do. You should consider these golden rules:
2. Legal entitlement
The GDPR requires you to identify, in writing, both (i) the lawful basis on which you are testing and collecting information and (ii) the additional condition you rely on to collect health data.
2. Written policies
Some of your data privacy compliance policies will need to be updated, in particular your appropriate policy document for special category personal data, your organisation’s data protection policy and your confidentiality/information security protocols.
3. Written assessments
Mandatory testing is fundamentally privacy-intrusive and there are inherent risks of adverse impact on employees. The ICO, therefore, considers both a data protection impact assessment and a legitimate interests assessment obligatory.
4. Should we tell employees?
Your employee privacy notice (“EPN”) is unlikely to be specific enough to satisfy your transparency obligations in the circumstances. You should update your EPN with a dedicated Covid-19 section setting out your workplace testing measures and how they involve personal data.
5. Can we share the information internally?
Yes, but apply sensible “need to know” rules which staff can easily and consistently follow. Think clearly: for the purpose of the communication, what is the minimum amount of personal data you need to use?
If you need any help drafting or amending any assessments, policies or notices, or need further information about the legal compliance of your workplace testing regime, then please contact our Data Privacy expert, Lucas Atkin.Back to Legal Updates →