As the COVID-19 outbreak in the UK shows signs of passing the 'peak', we are all left contemplating what post lockdown life will look like.
In addition to the government 'Test and Trace' strategies, many businesses are beginning to assess what else they can do to provide a safe environment to entice staff and customers back into workplaces. Although in the context of a global pandemic, the monitoring of health may in some cases now be seen as a welcome intervention rather than a 'creepy' invasion of privacy, it still raises significant privacy issues. The extent to which businesses recognise, document and mitigate these issues will be key to avoid both legal liability and potential backlash from employees and customers. In this article we take a look at the key issues, and recommended approaches to tackle them.
DO WE HAVE A LEGAL DUTY TO MONITOR?
In short: no. There are currently no express health and safety regulations requiring Coronavirus health monitoring in any place of work. Currently, businesses are obliged to follow the government's Coronavirus social distancing guidelines and regulations, together with their existing responsibilities to generally provide a safe working environment under Health and Safety legislation. This will involve putting in place measures that reduce or avoid the risks of Coronavirus spreading throughout work places, such as desk spacing in offices and rigorous cleaning regimes. Whether any additional measures such as health screening or temperature checking should be used is a question for each organisation to consider.
As an aside, it is worth noting that although there is no general statutory duty to monitor health, we are seeing some evidence of contractual duties to monitor health. For example, clients engaging on-site service providers may require temperature checking or testing to reduce on site risks. Contractual duties to monitor should not be accepted without first checking that the particular monitoring proposed is compliant with privacy laws.
CAN WE MONITOR AND COMPLY WITH PRIVACY LAWS?
Monitoring of health status is an inherently privacy invasive activity, and is closely regulated. That said, it is possible to monitor in a way that complies with privacy laws if you follow the 5 Golden Rules of Monitoring:
- Have a Lawful Basis: consider your legal justification for the kind of monitoring you propose. ICO guidance released in May confirms that employers will have a lawful basis to monitor employees for health and safety reasons. Monitoring of the public and contractors may also be justified on other substantial public interest / public health grounds.
- Do a Data Protection Impact Assessment (DPIA): show you have balanced necessity against risk, considered alternatives, and put protections in place for individuals (such as minimisation, transparency and security). Set out why you think monitoring is necessary (for example the job necessitates close contact) and why alternatives would not work.
- Don’t collect too much: In some cases you may not need to record any information about an individual (for example a pass/ fail temperature test for admission). In some cases you may need more, such as noting a positive test result so that colleagues in immediate proximity can be notified. Make sure you use technology that doesn’t gather too much information (for example full body thermal imaging is likely to be excessive in most cases).
- Accuracy is critical: the effectiveness of any monitoring depends on the accuracy of the technology, which can be a challenge as new technologies to address Coronavirus are adapted constantly. Ensure any monitoring tech you are using is able to record accurate results: otherwise the justification for using it at all is questionable.
- Sharing Controls: Some forms of health screening, such as testing, will potentially identify an affected individual. ICO guidance confirms that duties to keep other employees safe, as well as other sharing for public health purposes, can be justified where necessary. In short, other individuals would need to be at risk before any sharing is justified.
HOW DO WE TELL INDIVIDUALS?
Transparency is one of the key protections for individuals which you will need to build into any monitoring DPIA. Individuals must be clearly given information about:
- who is the 'data controller' doing the monitoring – this will be obvious in some cases (for example employer monitoring employees) but less obvious in others (for example a commercial landlord monitoring on behalf of tenants)
- the purpose of the monitoring and the legal basis (for example to control the spread of Coronavirus by identifying people who may have symptoms, to meet employer health and safety obligations);
- the nature of the monitoring and exactly what information will be recorded - in some cases this will be simply a positive test result, in others additional information may be gathered;
- who is going to see the results – including whether results could be shared with others (if necessary)
- how long results will be kept for (if at all)
- the individual's rights of access to the information recorded, and rights to make a complaint.
Some of this information may already be in the organisation's general privacy notice, but it is likely that some updates will be needed to make sure that enough clear information is provided. Any organisation carrying out monitoring should also consider updating information retention schedules and registers of processing to accommodate specific additional monitoring activity.
Finally, please note that these conclusions are based on current regulatory guidance for UK businesses. International businesses should bear in mind that regulators are taking different approaches across the EU, and our team has prepared a quick comparative guide for UK, France and Germany.
NOW HOW CAN WE HELP?
Our privacy specialist team, based in each of our UK offices, can assist you with everything from privacy impact assessments to preparing your updated privacy notices and contracts – we'd love to hear from you.