31 March 2021 - Post by:Benjamin Scrace
In guidance published by the Department of Health and Social Care, the UK government encourages private employers to provide Covid-19 coronavirus testing to their workers: “We want as many employers as possible to sign up to regularly test their employees”.
Before implementing a workplace testing programme, UK employers should consider carefully whether their approach is necessary and proportionate and that they understand and can satisfy their obligation under data protection, employment, and health and safety legislation.
Employers (considering the possibility of asymptomatic transmission) may consider imposing mandatory participation on their workers. However, mandatory workplace testing raises a number of risks for an employer. Though the Covid-19 coronavirus pandemic has created an unprecedented situation where employers are keen to facilitate the safe return to the workplace, the UK Government (as well as the Scottish Government, Welsh Government, and Northern Ireland Executive) does not (yet) require mandatory testing in all workplaces, which could (by virtue of being compulsory) involve disproportionate and unnecessarily intrusive data processing activities. As per current ICO guidance, employers should consider all factors before imposing mandatory testing (such as equalities issues and the terms of employee contracts), not just issues relating to data protection and privacy.
Each workplace is different and there is no one-size-fits-all. Whether an employer decides to implement a mandatory programme, and whether a mandatory programme is proportionate, will depend on whether the employer can justify the programme based on the risks present in the relevant workplace. The key issues for employers to consider before making participation in workplace testing programmes mandatory, are summarised below:
Proportionality – is mandatory testing necessary and proportionate?
- What is the employer trying to achieve: Employers should consider whether mandating testing is proportionate – both to discharge the purpose of the testing programme (e.g. to minimise workplace transmission), and in comparison to alternative available measures (e.g. working from home, social distancing, and enhanced cleaning measures). If mandatory testing is not a proportionate measure considering the fact pattern, the employer will struggle to justify a legal basis under UK GDPR.
- Who is subject to mandatory testing: Employers should be able to demonstrate a clear and thoughtful rationale for imposing mandatory testing on specific groups of workers and not others. For example, mandatory testing may cease to be proportionate if employers only require employees (and not contractors working alongside such employees) to participate, or workers who could reasonably be separated from other individuals on the basis of their working environment (such as single person offices, or staggered shift times), or who are unlikely to require ongoing access to the workplace (e.g. office workers who could continue working from home). Employers should ensure clear and transparent communications with workers to explain why testing is being made mandatory, what testing involves and how it will be undertaken to ensure that the implementation of any mandatory testing programme is consistent with the obligation of trust and confidence.
- Is it a reasonably practicable measure: Employers are subject to a number of health and safety obligations under UK law. This includes to ensure, so far as is reasonably practicable, the health, safety and welfare of its employees at work. Generally, what is “reasonably practicable” for an employer will be determined on an individual basis by reference to what is possible and proportional for the employer to do. This could be based on a number of factors, such as the size of the company, the resources and expertise available to it, the risks to health and safety involved in the conduct of their business, the gravity of potential injury that could be caused by their business, government and industry safety guidance, and what similar businesses typically consider as reasonable in the circumstances. The Covid-19 coronavirus pandemic has created an unprecedented situation for employers, to the extent that developing or procuring a workplace testing programme, and imposing mandatory participation in such programme, may present one approach to discharging an employer’s health and safety duties. However, it could serve as an unhelpful precedent for the employer in the future, as it may stretch the concept of what should be considered reasonably practicable in light of similar risks to health and safety.
- Would workers participate voluntarily: Implementing a testing programme (at least initially) on a voluntary basis involves fewer risks from a data protection perspective, provided that it is genuinely voluntary. Voluntary participation may also prove effective in meeting the employer’s objective, especially if there is a sufficient level of voluntary participation by staff. If appropriately managed, with clear and proactive communication and consultation measures with employees, voluntary programmes can achieve high levels of participation that make imposing mandatory participation an unnecessary risk.
Legal basis – could an employer justify a legal basis?
- An employer will almost inevitably be a controller of personal data processed in connection with a workplace testing programme, and is therefore required to establish a legal basis for processing under UK GDPR. If the employer controls the processing of test results or other health data (which would constitute special category data) it will also need to establish a special condition for such processing under Article 9 UK GDPR.
- Depending on the fact pattern (and type of workplace), an employer may have strong grounds in justifying that mandatory participation is necessary and proportionate – particularly if on the basis of its health and safety assessment, it can demonstrate that requiring mandatory participation satisfies the employer’s (or a third party’s) legitimate interest, is necessary for the employer to discharge its legal obligations, or is necessary for reasons of public interest in public health.
- Mandatory participation also means that employers would struggle to rely upon consent as the legal basis under UK GDPR – consent would not be freely given if participation is a condition of office-based work. However, even if participation is voluntary, employers should think carefully before relying upon consent as the legal basis. Though consent is not necessarily invalid solely by virtue of an employment relationship, UK GDPR imposes a high threshold for valid consent (particularly in relation to special category data) and an employer must be able to evidence that it obtained genuine consent from each impacted individual (i.e. despite the potential imbalance of power between the employer and the worker).
- In any event, it would be easier for employers to establish a legal basis if participation is voluntary rather than mandatory – voluntary participation would reduce the likelihood of allegations that the testing does not respect the rights and freedoms of the employees. This does not necessarily mean that an employer should or is compelled to provide unrestricted access to its workplaces (i.e. without a negative test result). However, employers should instead consider whether it could achieve the same or similar results using a voluntary testing approach.
Exceptions – how will employers treat workers outside the programme?
- Will employers accept other tests: It may be disproportionate for employers to require individuals to participate in a workplace testing programme solely in order to obtain a particular type of test (e.g. a PCR or lateral flow test) or to obtain a test result from a particular provider. For example, the individual could provide evidence of a recent negative test result provided by the NHS or another unaffiliated but accredited private provider. Employers should consider to what extent it will allow exceptions to mandatory participation.
- How will employers manage exceptions: Workers who usually work from home (who are not required to participate in workplace testing) may request or require occasional access to the office. Employers should consider whether (and if so why) they require these workers to participate in workplace testing on an ongoing basis (despite infrequent access the workplace). Alternatively, if the employer accepts evidence of negative test results procured by these workers outside of the employer testing programme, employers should consider how they will confirm or acknowledge these results, especially if the worker is unable to submit the results via the existing systems built specifically for the testing programme (and which may be designed to ensure that the employer does not process or have access to test results).
- Visitors and third party contact: Employers should also consider what (if any) requirements they impose on visitors to worksites; it is unlikely that businesses would subject visitors, clients and customers to Covid-19 coronavirus testing (other than limited and non-intrusive controls, such as temperature testing). Similarly, for workspaces that share common spaces with other businesses (such as communal areas or shared office space), employers should consider whether it is proportionate to mandate testing for its workforce if such workers interact frequently with customers, visitors, or workers employed by other parties who are not subject to testing.
Documentation – has the employer conducted an assessment of the project?
- DPIA: The ICO requires employers to carry out a data protection impact assessment (a DPIA) before putting in place mandatory Covid-19 symptoms testing. The purpose of a DPIA is to: (i) describe the nature, scope, context and purpose of processing; (ii) assess the necessity and proportionality of the project; (iii) assess the risks to individuals; and (iv) assess the measures to mitigate such risks. Where mandatory testing increases the likelihood and severity of any impact on individuals, employers should consider whether the high risk processing activities are justifiable if not remediable. The DPIA should also outline the employer’s review mechanisms to explain how the employer will review mandatory participation to ensure the measure remains proportionate over time.
- Health and safety: Employers should consider conducting (and documenting) a health and safety assessment of any testing programme to understand the need and viability of mandatory participation. Imposing or requiring mandatory participation without justification, could mean that the employer engages in avoidable and privacy-intrusive data processing activities.