On 23 April, the Department for Health & Social Care (DHSC) announced that, as part of its 5-pillar strategy, testing for Covid-19 has now been extended to all ‘essential workers’ in England and Scotland who exhibit symptoms. A new online portal now enables employers to refer self-isolating staff and members of their household for testing, and employees to book a test directly for themselves or any member of their household who is self-isolating due to coronavirus symptoms.

Essential workers include NHS and social care staff, teachers, hospital cleaners, the emergency services, supermarket staff, delivery drivers and others providing critical infrastructure. A full list can be found here.

Although the expanded testing capacity is a welcome tool in the fight against Covid-19 and to enable the continuity of essential services, it does also raise a number of potential privacy issues that employers should be seen to consider when using the portal.

First, they will need a lawful basis on which to process personal data relating to their employees and members of their households when they refer them for testing using the new portal. It is likely that this will be that they have a ‘legitimate interest’ in the processing of this data, but a bald assertion of this is not enough – strictly they will need to be able to demonstrate that this legitimate interest is not overridden by the rights and freedoms of the employees and their family members. In theory, this requires the employer to consider whether using the referral system is a necessary and proportionate measure to get key workers back to work as quickly as possible whilst combatting the spread of the virus. This will include justifying why the employer needs to refer the employees and family members for testing, rather than simply encouraging them to book their own tests online.

In practice, however, it seems unlikely that the employer’s use of a scheme designed expressly to help get its key people back to work in an unprecedented crisis would be deemed an unwarranted interference with their rights, especially as undergoing the testing after an employer referral is entirely voluntary for the employee/family member. When employees are referred for testing, they receive a text inviting them to book an appointment. They are under no direct obligation to do so. However, it is possible that if an employee seeks to remain off work for an extended period without clarifying his health position when by taking the test he could do so, this could be a breach of the employer’s absence rules and so lead to withholding of sick pay or ultimately to dismissal. Whatever the data protection law position, therefore, taking the test is likely to be a reasonable management instruction under the employment contract.

Second, data protection law also requires employers to ensure that they are fully transparent with staff and their family members about the processing of their personal data via the portal, including ensuring that they are provided with all of the information mandated under Articles 13 and 14 of the GDPR. The DHSC has provided wording that employers can use to inform their staff about the testing facility. This will need to be supplemented with additional information about the processing of employees’/family members’ personal data.  The employer should consider how best to provide this information to members of employees’ households.

DHSC guidance tells employers that they will not get to see the results of any tests, or even be told whether the employee/family member has taken the test. The DHSC’s suggested form of words about the testing tells employees that they are not expected to share the result with the employer and that if the test is negative, the employee can choose to go back to work if they feel well enough to do so. This is quite unrealistic in practice. Employers will clearly want to know whether an employee/family member has taken the test and the result, for workforce planning purposes. If the employer asks the question, then anything less than a straight and immediate confirmation of testing negative would fully justify his being sent home on SSP again from the employment law perspective.

Where the employer is given a test result by the employee, (whether it is provided voluntarily or under duress) it is likely to be deemed to be processing health data. This will require it not only to have a lawful basis for that processing but also to satisfy an additional condition under data protection laws to enable it to process special category data of this sort. Trying to rely on the explicit consent of the employee is not likely to work, as the perceived imbalance of power between an employee and employer is likely to render the consent invalid.

However, the employer could rely on an assertion that knowing the test result is necessary in order for it to comply with its employment law obligations owed to that employee or others or visitors to its premises. That will in turn require it to be able to demonstrate that access to this data is strictly necessary to comply with those obligations. That is unlikely to be a difficult hoop to get through given the nature and extent of its common law and statutory duties on the health and safety front, which would mean that if it had any realistic basis for suspecting that the employee may be infected (including his falling within any category of person required to self-isolate), it could not safely allow that employee back into the workplace. If this testing confirms or removes that suspicion, the employer must therefore be entitled to rely on it. That is after all what the scheme is designed for. We must bear in mind also that many employees will be nervous about returning to the workplace and close proximity to many people and will require all the assurances the employer can give that their formerly self-isolating colleagues do not pose any infection threat to them.

Needless to say,  retention, use of and access to test results by the employer must be strictly limited to what is necessary to pursue the employer’s legitimate interests and to comply with their employment law obligations. But bear in mind that the ICO has indicated that it will approach data protection law compliance in a pragmatic manner so far as Covid-19 is concerned, provided the use of that data is reasonably considered by the employer to be necessary and proportionate.