If you are carrying out Covid testing of your staff and someone tests positive can you share that data with others? This is now a big issue for many employers since the government announced a push to start rapid Covid testing of people who don’t have symptoms, targeting those who can't work from home. That scheme is aimed at the public sector, mainly local authorities, but large parts of the private sector are now following suit. The tests we are referring to are the rapid tests, or lateral flow tests as they are sometimes called, which give a result very quickly, in around 30 minutes.
People Management has reported on this - 'An employer’s guide to workplace Covid testing'- pointing out that the government is allowing employers to set up their own testing programmes outside of Test and Trace, and that whether employers make testing mandatory is a matter for them. So what if you do test your staff and someone does test positive? Can you press ahead and disclose that test result, sharing that person's personal data and exposing their identity? To help with that I called data specialist Leanne Francis:
Leanne Francis: “Well often employers have a really good reason for wanting to do that, for employees who are showing symptoms or who have a positive test for COVID, and they're wanting to tell their colleagues so that they can potentially self isolate and stop the spread. So there's a really good reason for wanting to share the identity of employees in those circumstances and I've seen it done in two ways. Some employers will ask their staff on their return to the workplace, whether they are happy for their identity to be disclosed in those circumstances, and they obtain what we call explicit consent. My view is that that's one way of doing it, but it does cause some issues. So consent in the employment context is often challenged as invalid because it's what we call 'gritted teeth, consent', the employee feels they have no choice but to consent. They also have greater rights. So if an employee later decides they want to withdraw that consent they can do so and they can ask you to delete all of their information. Also explicit consent is quite onerous. These explicit consent forms are just that, they go into a couple of pages when they're done properly. So my view really is that the better way of doing this is to decide whether it's reasonably necessary to share the identity in order to protect the health and safety of staff and, obviously, sending an email to 6,000 employees all based at different locations, disclosing the name of an individual who's tested positive, is probably going a bit too far, whereas speaking to that individual, working out who they've come into contact with, who really needs to know their identity, and then disclosing it on a 'need to know' basis is the better approach, or even just thinking about whether you tell people that there's been a confirmed case in the workplace and that's as far as you go. There's nothing in data protection law stopping you protecting the health and safety of your staff, that's absolutely paramount, but privacy, equally, does not go out of the window. So it's important that we handle this information sensitively."
Joe Glavina: "What about employers who want to make a list of the people who test positive. We know that's happening. Is that okay?"
Leanne Francis: "I don't think there's any problem with that. I think sometimes employers feel that if they put pen to paper that they're exposing themselves to a liability under the Data Protection Act but actually data processing captures even the most basic of activities so looking at a screen of information or sharing that information verbally, would still be caught by the Data Protection Act so just because we make a record of this does not mean that we're exposing ourselves to any greater liability and, in fact, I think when you're doing it to protect the health and safety of your staff, or to manage sickness absence or furlough leave or sick pay, then you've got a good reason for doing it and actually making a record of it enables you to keep that information accurate and up to date. I think the most important thing to bear in mind is that this is special category data, it is highly sensitive, and we need to treat it in the same way that we would treat bank account details. So we don't leave this information lying around, we make sure that access is on a 'need to know' basis, we password protect, we don't leave it in public folders, we think about how long we really need to keep it for and we only use it for that for that particular purpose. But actually I think keeping a record of the information where you've got a good reason for processing it in the first place is absolutely fine."
Joe Glavina: "Last question Leanne. We hear that many large employers are looking to outsource the testing to a third party service provider. Does that change things?"
Finally, just to flag up another issue which we covered on Tuesday – that's the issue of whether you can impose Covid testing on your staff and is something data specialist Katy Docherty covers in detail. You can find that on the Outlaw website.