Katy Docherty tells HRNews workplace testing is possible but data protection duties must not be overlooked

We're sorry, this video is not available in your location.

  • Transcript

    If you want to carry out Covid-testing on your staff can you press ahead? This is now a big issue for many employers because a fortnight ago the government announced a push to start rapid Covid testing of people who don’t have symptoms, targeting people who are unable to work from home. The scheme is aimed at the public sector, mainly local authorities, and has been widely taken up. According to the government's website, NHS Test and Trace is working with a number of employers piloting regular workplace testing in sectors including food, manufacturing, energy and retail – important because the government estimates between one in three and one in four people who have coronavirus never show any symptoms but could still be infectious. Rapid tests, or lateral flow tests as they are sometimes called, take just 30 minutes to give a result and can help identify people with high levels of the virus who don't have symptoms. People Management has reported on this -  'An employer’s guide to workplace Covid testing'- pointing out that the government is allowing employers to set up their own testing programmes outside of Test and Trace and whether employers make testing mandatory is a matter for them. So if they do what are the risks and what about private sector employers? We will come on to that in a minute but first we can show you what's involved when a rapid test, or lateral flow test, is carried out. Durham University have produced a very nice demo video on this which they've posted up on YouTube. Here it is:

    Video – Durham University demonstration of lateral flow test (YouTube)

    So back to the question. Can you as an employer carry out these test on your staff? The government's website answers that with a 'yes' but there's an important caveat – they say you have to be careful. Why is that? To help with that I spoke to one of our data specialists, Katy Docherty. She joined me by video-link from Glasgow: 

    Katy Docherty: "The reason that you have to be so careful is because when you start gathering in health data about individuals, which is what you will be doing if you're doing Coronavirus testing, or checking for symptoms, the minute you start doing that, not only are you processing personal data but you're processing special category data about them because health data falls under that definition under data protection legislation and so you have to exercise great care both in deciding whether that processing is something that you can do and, if so, in actually carrying it out. Now one of the best ways to decide whether or not is something that you can do is by carrying out a DPIA. Not only will that allow you to understand if the testing is something that you can do, but it will actually allow you to comply with data protection law because a Privacy Impact Assessment is mandatory in these situations. It will allow you to demonstrate accountability, it will allow you to stop and think before you start carrying out that processing whether or not this is something that is necessary for your organisation, if so why, it will allow you to work out what your aim is, and it will allow you to work out the best way to carry out that testing in a way that is fair, transparent and lawful. So not only will it mean that you, as an employer, are processing that data more carefully, and in a way that is fair to the individuals, it will also mean that you can demonstrate to the ICO that you have gone through the process required by law to ensure that this is something that the company is on solid ground doing."

    Joe Glavina: "Can I ask you about mandatory testing, Katy? I know a number of employers are wanting testing to be compulsory for their staff. Does the data protection law allow for that?"

    Katy Docherty: "A lot of employers are querying whether this is something that they can do and the answer to that one is not necessarily. Now whilst we've just discussed how in principle testing is something that companies and employers can do, making that mandatory for individuals is a different question altogether and not only do you have to take into account data protection legislation and the requirements under the law in that sphere, you also need to take into account a wide variety of other issues. So for example, if you are considering mandatory testing in relation to your employees, you will have to consider employment law, your contract with the individuals and also the wider employee relations sphere. You may need to take into account health and safety legislation, any applicable government guidance, and it may be the case that specific sectors end up having specific guidance on this particular topic. Now mandatory testing potentially in some spheres could be considered quite draconian and, you know, bringing it back to data protection and whether you can make that mandatory, part of your Privacy Impact Assessment, which we were just discussing, will allow you to consider why you feel this needs to be mandatory, it will allow you to consider whether you can meet your aims, for example, in the public interest carrying out this testing. It will also allow you to consider whether you can meet that aim by having a voluntary scheme as opposed to a mandatory one. So, not only will your Privacy Impact Assessment allow you to assess making this mandatory from a data protection perspective, but going through that thought process and showing your working about considering this requirement will also allow you to think about the wider implications and the other obligations that you as a company, or an employer, may have. So, the bottom line is that even if you decide that testing is something that you can do you will need to stop and think carefully again if you are considering making it mandatory, because that is a slightly different question and it does have different considerations that potentially go wider than just data protection law."

    The other big issue on Covid-testing is whether you can share a positive test result with other members of staff - so sharing that data. A positive result shows up as two lines, one line alongside the 'C' - which simply confirms it's valid test - and a second line alongside the 'T' - which means it's a positive result (if there's no line next to the T it's a negative result). So assuming it is positive, can you share someone's positive result with other members of staff? We will cover that in our next programme, so watch this space.