Data Protection and Coronavirus Testing: What are an Employer’s Obligations?

By Gary Smith


Now that lateral flow testing is available to employers of all sizes free of charge, many businesses are using testing as a way of encouraging staff back to their usual workplace. But what do you need to consider from a data protection perspective?

Does Data Protection Law Apply to COVID-19 Testing?

If you are carrying out workplace COVID-19 testing or asking staff to self-test and inform you of the result, then you will be processing personal data about them and must comply with data protection law.

This means that you must handle the information lawfully, fairly and transparently. It will be classed as special category data, which means that it is more sensitive than other data such as an email address, and more harm could come to the individual it belongs to if it is not appropriately safeguarded. You must therefore treat it extra carefully.

What Lawful Basis Can I Use for Testing?

Data protection law requires that personal data is only processed if there is a lawful reason for doing so. It is likely that the ‘legitimate interest’ ground can be used as the reason for processing the test result data, but employers should make their own assessment.

Because COVID test results constitute special category data there are additional grounds for processing that must be satisfied, known as Article 9 conditions, as set out at Article 9 of the Data Protection Act 2018.

Of these it is likely that employers could rely on Article 9 (2) (b) which allows sensitive data to be processed if it is necessary to comply with employment law, such as health and safety obligations which could include ensuring the workplace is COVID-secure.

Alternatively, an employer could rely on the public health condition in Article 9 (2) (i) which permits processing for reasons of public interest in public health, namely, to help stop the spread of the COVID-19 virus.

Again, it is necessary for organisations to make their own assessment of whether the Article 9 conditions are satisfied and if so, which they rely upon when processing test result data.

What Do I Need to do Before Introducing Testing?

If you are introducing workplace testing it is recommended that you undertake a data protection impact assessment to consider the risks involved with this and how you intend to overcome them.

As always, it is imperative to be honest with your staff about how you use their personal data, who it will be shared with and what decisions will be made with the data.

You may need to think about updating existing privacy notices to cover this information.  Obviously, any test results or other health information must be kept extremely securely.

You should also consider introducing a policy explaining to staff the approach that you are taking to testing.

Can I Share Details About the Test Results?

If an employee tests positive, then you may need to share that information with third parties such as public health authorities as well as other staff who have been in contact with the employee who has tested positive.

However, when sharing details with other staff wherever possible you should avoid naming individuals in order to protect their identity and their sensitive personal data.  

For more information and to find out how we can help you, please contact us on 0345 646 0406 or fill in our online enquiry form and a member of our Team will be in touch.