My company wants to offer staff Rapid Flow Covid tests when they return to the office on 12th April. They want to offer them to staff and regular contractors that will be on site.
Can they force people to take them? (Small team <10 people)
As they’re a private firm, could Art 6 basis be Public Interest? Or could it be LI?
I can see Article 9.2.g (substantial public interest) derogation too – but am I being naive?
Also – has anyone got any great examples of Employee FPN / PN updates that cover this?
Thank you in advance (please be kind)
HellenB
The best resource for advice on this topic from a data protection point of view is the ICO guidance:
https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/
Guidance on how to conduct the testing is here:
https://www.gov.uk/government/publications/coronavirus-covid-19-testing-guidance-for-employers/coronavirus-covid-19-testing-guidance-for-employers-and-third-party-healthcare-providers
You need to consider if the testing is:
– necessary (you work in a health or social care setting)
– reasonable
– proportionate
Depending upon what sector you are working in you might have difficulty proving this and you have to bear in mind that there is the hurdle of the Human Rights Act to take into account as well. It is a high bar to get over to make it mandatory.
Remember, you need to split the reason for doing the tests (a business decision) from the processing of the data. For the latter, it is special category data and you will be processing it under consent.
This is a good post on the subject:
https://www.peoplemanagement.co.uk/experts/legal/can-employers-enforce-tests-for-covid-19
Dean
This resource from the ICO on testing is helpful, including lawful bases that might be appropriate for the processsing.
https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/testing/#testing5
Dean
Hellen’s signpost to the ICO is very helpful here. We’ve used the ICO’s hub for LFT testing compliance.
For a Privacy Notice, it’s just like any other privacy notice, you just have to be logical in how you present the information. I can’t share the content of the notice, but there are the headings that I’ve used in a PN for testing in a privately owned company: –
1. WHY WE ARE TESTING
2. WHICH PERSONAL INFORMATION IS PROCESSED & WHY
3. HOW WE USE YOUR PERSONAL INFORMATION
4. DATA SHARING
5. ACCESS TO THE DATA
6. HOW LONG YOUR INFORMATION WILL BE KEPT
7. THE LAWFUL BASIS FOR PROCESSING YOUR PERSONAL INFORMATION
8. YOUR RIGHTS
9. CONTACTING US
It doesn’t need to be war and peace, just factual, concise and understandable. The PN that I wrote was on one page of A4.
Hellen’s point about necessity is important, it may be appropriate to require testing in an environment where people could otherwise be at risk. In the business I refer to, it was decided that LFT was optional.