Following our previous article on how organisations may collect personal data lawfully in attempt to control the spread of the COVID-19 pandemic, the ICO has provided updated and consolidated guidance. The guidance again emphasised the ICO’s proportionate approach to enforcing the General Data Protection Regulation ('GDPR') during the pandemic, which has been well received by businesses. In addition, the ICO provided further details on how organisations may collect data lawfully and proportionately when implementing testing or other screening measures for COVID-19 in the work place.
Testing and screening for COVID-19
One of the key requirements of GDPR is that the collection of personal data must be necessary and proportionate in relation to the controller’s stated purpose and the relevant lawful basis. The ICO’s previous Q&A provided limited guidance on how organisations should approach such assessment. However, the latest guidance has helpfully set out the following factors that organisations could take into consideration:
- the types of work their staff do and whether working from home is possible. In its case study, the ICO set out the example of a manufacturer, whose workers are unable to work from home, making onsite screening (questionnaires) more likely to be necessary;
- the type of premises the organisation has;
- specific regulations or health and safety requirements that apply to the organisation or staff and any duty of care owed;
- whether the proposed approach can be less intrusive. The ICO has recommended that organisations ask the following questions when they consider the intrusiveness of the proposed measure:
- whether the collection of health information can be confined to the highest-risk roles
- whether access to health information can be limited so that it will only be seen by medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility
- whether reasonable alternative measures are available, including strict social distancing or working from home.
- whether the proposed testing/screening measure reflects the latest government guidance. It is always good practice to keep Covid-19 screening measures under review in line with government guidelines to ensure that the personal data collected remains relevant.
In response to the question whether organisations can make COVID-19 symptom checks mandatory, the ICO highlighted that it is not simply a data protection issue, but also involves employment law and the terms of the employment contract in question. Some of these issues were discussed in our previous article. From a data protection perspective, organisations are recommended to consider carefully whether such mandatory measure may have negative consequences for certain individuals.
The frequency of carrying out COVID-19 checks will also depend on the nature of the organisation and the work its staff do. Organisations in the health and social care sector for example are more likely to require more frequent COVID-19 screening than those in lower risk sectors.
Onsite Surveillance
The ICO did not particularly encourage the use of onsite temperature checks or thermal cameras, emphasising that organisations should consider less intrusive means. In practice, the introduction of such measures needs to be designed carefully and carried out following legal advice. The ICO also recommended that organisations who intend to use thermal cameras should carry out impact assessments and recommended the surveillance camera DPIA template it developed jointly with the Surveillance Camera Commissioner.
Similarly, the ICO recommended that organisations cautiously approach other forms of surveillance cautiously, such as the use of ordinary CCTV. Employees may not expect to be monitored this way and often alternative measures may be available to achieve the same goal. In addition to data protection issues, organisations need to take into consideration that individuals still have legitimate expectations in their private life in their work place as well.
Where organisations do consider that analysing recorded CCTV footage may be useful in contact tracing where a visitor/employee has subsequently been diagnosed with COVID-19, organisations are again recommended to assess the necessity of the measure and consider alternatives, as CCTV footage could reveal sensitive information about individuals. Where such analysis is considered necessary, the ICO recommends that organisations speak to the affected individuals about the intended use of the CCTV footage before reviewing the footage and support their exercise of data subject rights.
If you would like assistance with your data protection matters in this challenging time, our data protection team is ready to help. Please contact our Data Protection team.
For those in the real estate sector, we have also published an article on data protection issues commercial landlords should consider.