Sharing positive Covid tests lawful, subject to data compliance

If you are carrying out Covid testing of your staff and someone tests positive can you share that data with others? This is now a big issue for many employers since the government announced a push to start rapid Covid testing of people who don’t have symptoms, targeting those who can't work from home. That scheme is aimed at the public sector, mainly local authorities, but large parts of the private sector are now following suit. The tests we are referring to are the rapid tests, or lateral flow tests as they are sometimes called, which give a result very quickly, in around 30 minutes. 

People Management has reported on this -  'An employer’s guide to workplace Covid testing'- pointing out that the government is allowing employers to set up their own testing programmes outside of Test and Trace, and that whether employers make testing mandatory is a matter for them. So what if you do test your staff and someone does test positive? Can you press ahead and disclose that test result, sharing that person's personal data and exposing their identity? To help with that I called data specialist Leanne Francis:

Leanne Francis: “Well often employers have a really good reason for wanting to do that, for employees who are showing symptoms or who have a positive test for COVID, and they're wanting to tell their colleagues so that they can potentially self isolate and stop the spread. So there's a really good reason for wanting to share the identity of employees in those circumstances and I've seen it done in two ways. Some employers will ask their staff on their return to the workplace, whether they are happy for their identity to be disclosed in those circumstances, and they obtain what we call explicit consent. My view is that that's one way of doing it, but it does cause some issues. So consent in the employment context is often challenged as invalid because it's what we call 'gritted teeth, consent', the employee feels they have no choice but to consent. They also have greater rights. So if an employee later decides they want to withdraw that consent they can do so and they can ask you to delete all of their information. Also explicit consent is quite onerous. These explicit consent forms are just that, they go into a couple of pages when they're done properly. So my view really is that the better way of doing this is to decide whether it's reasonably necessary to share the identity in order to protect the health and safety of staff and, obviously, sending an email to 6,000 employees all based at different locations, disclosing the name of an individual who's tested positive, is probably going a bit too far, whereas speaking to that individual, working out who they've come into contact with, who really needs to know their identity, and then disclosing it on a 'need to know' basis is the better approach, or even just thinking about whether you tell people that there's been a confirmed case in the workplace and that's as far as you go. There's nothing in data protection law stopping you protecting the health and safety of your staff, that's absolutely paramount, but privacy, equally, does not go out of the window. So it's important that we handle this information sensitively."

Joe Glavina: "What about employers who want to make a list of the people who test positive. We know that's happening. Is that okay?"

Leanne Francis: "I don't think there's any problem with that. I think sometimes employers feel that if they put pen to paper that they're exposing themselves to a liability under the Data Protection Act but actually data processing captures even the most basic of activities so looking at a screen of information or sharing that information verbally, would still be caught by the Data Protection Act so  just because we make a record of this does not mean that we're exposing ourselves to any greater liability and, in fact, I think when you're doing it to protect the health and safety of your staff, or to manage sickness absence or furlough leave or sick pay, then you've got a good reason for doing it and actually making a record of it enables you to keep that information accurate and up to date. I think the most important thing to bear in mind is that this is special category data, it is highly sensitive, and we need to treat it in the same way that we would treat bank account details. So we don't leave this information lying around, we make sure that access is on a 'need to know' basis, we password protect, we don't leave it in public folders, we think about how long we really need to keep it for and we only use it for that for that particular purpose. But actually I think keeping a record of the information where you've got a good reason for processing it in the first place is absolutely fine."

Joe Glavina: "Last question Leanne. We hear that many large employers are looking to outsource the testing to a third party service provider. Does that change things?"

Leanne Francis: "Well, this happens quite a lot in the employment context anyway. So we have employers who use payroll providers, who use benefits providers, they use background checking services, so this is just another way to outsource what can be a huge administrative burden but the employer still remains the data controller in these circumstances. So if something goes wrong with that data, then the provider is a processor, and they're processing that data on your behalf, and as a data controller we have an obligation to make sure it's looked after by that third party. So the starting point would be making sure you have a really robust contract with them to make sure that they're looking after the information, asking what they'll do in the event of a breach, that they'll cooperate with you to report that to the ICO, that they give you the right to audit their processes and their policies and procedures, that you have the right to the return and secure deletion of the information at the end of the contract. So it's just making sure you have that extra security in place. We tend to get a lot of queries from clients about employees who have made complaints about data sharing. So employees who are nervous about their data will get even more nervous when they realise that information is being shared with a third party because they will feel like the employer is losing control of it. So one of the best ways to pre-empt those complaints is to have a privacy policy which makes it really clear what you're doing with their information and why, and that can help to give employees reassurance where they feel that, perhaps, their information is being shared too widely."

Finally, just to flag up another issue which we covered on Tuesday – that's the issue of whether you can impose Covid testing on your staff and is something data specialist Katy Docherty covers in detail. You can find that on the Outlaw website.