Are you monitoring staff health during COVID-19?

October 2020

As part of a suite of measures to protect their workforce against the spread of Coronavirus, some companies have put in place new measures to monitor their staff’s health in the workplace.

Some may be using questionnaires, while others have opted for more intrusive biometric measures, such as temperature testing employees as they enter the building.

A symptom commonly associated with COVID-19 is a rise in body temperature or fever. The latest Government guidelines states that anyone with a fever should self-isolate as a precaution. Of course, a rise in body temperate might not be caused by COVID-19.

Not all COVID-19 patients have a fever, and fevers could be caused by other conditions. However, temperature testing is one method used to identify which individuals might potentially pose a risk to others.

What steps should you take if you are considering introducing new tests?

Any collection and use of health data should be conducted with care, in line with the principles of data protection law. Here are some pointers.

1. Plan out your process

  • How and where will carry out the testing? You should use contact-less thermometers. If its in the reception area is this likely to cause delays to people arriving for work?
  • How will you manage the contact tracing? If you will be testing visitors as well as employees and contractors, you will need be sure you can contact them later if the need arises.
  • What steps will you take when a high temperature is detected?
  • Will you be recording negative test results, or just positives?

Also see the ICO guidance on collecting customer and visitor details for contact tracing.

2. Be open and transparent

  • Explain why you require employees to be tested and what may happen if they object to the test. It’s wise to ask employees to notify you in advance if they object.
  • Remind employees they should not attend work if they have a temperature or any other symptoms which may be related to COVID-19, or if they have had a positive test, or if they are supposed to be self-isolating.

3. Decide on your lawful basis

The European Data Protection Board (EDPB) issued a helpful statement regarding the processing employee health data. They confirmed the lawful bases were likely to be public interest or legal necessity. They’ve said you will not need consent for this processing.

The EDPB also provided a timely reminder that your employee privacy notice should be updated to reflect any new processing of health data. By the way, you might also need to consider updating your public privacy notice if you intend to conduct temperature testing on any members of the public, e.g. visitors to your office.

4. Adopt data protection measures

  • Decide what specific data you need to capture and confirm where will the data be stored.
  • How do you plan to use the data, particularly data on positive results?
  • Who will have access to it and for what specific purposes? Don’t use it for any other purposes.
  • How long will data be retained? The retention period may differ for positive and negative results. Make sure you erase the data in a timely manner.

Also see the ICO guidance on simple security measures you can take.

In line with ICO guidance, it’s wise to carry out a Data Protection Impact Assessment (DPIA) before commencement, particularly where biometric data is gathered. A DPIA should cover:

  • Details of the proposed activity and its purpose;
  • Ensure the activity is both necessary and proportionate to the requirement;
  • Confirm how managers and employees will be notified about this new processing;
  • Identify any data protection risks;
  • Confirm any actions required to mitigate these risks.

Matthew Kay LLM, Data Protection Officer EMEA at Thomson Reuters commented:

“Covid 19 has presented challenges worldwide across different areas of business for organisations to contend with, including the requirements for close scrutinisation in respect of employee monitoring to ensure the health and safety of individuals.

But this should not be at a cost to an individual’s privacy and we must be mindful of an organisation’s responsibilities to comply with GDPR. Finding the right balance in respect of these considerations is key.”

Whilst there’s usually a strong justification for COVID-19 related measures such as this, you should bear in mind that potentially intrusive processing of employee data, may give rise to new concerns and compliance risks. Particularly if it could be viewed that this processing was excessive or disproportionate.

On 1 October the Hamburg Data Protection Authority (DPA) issued a £35.3 million Euros fine to H&M, relating to serious breaches of employee privacy within H&M’s Service Centre in Nuremburg.

The DPA found that H&M’s workforce had been subject to extensive recording of details about their private lives since 2014.

This should serve as a timely reminder about data minimisation: organisations should collect and use only the data you really need for specified purposes. Take care not to expand your requirements beyond what is absolutely necessary and proportionate.