In the current COVID-19 climate, many of our clients have needed to change quickly the working patterns of their workforces in response to the UK government’s social distancing measures and lockdown restrictions.
A large aspect of this has been working from home, which, for many, has become the 'new normal' during this pandemic. However, not all workers are able to continue to work without leaving their homes.
Some employers therefore need to adopt sensible precautions (in relation to those workers who still attend the workplace) to ensure that they are, on one hand, compliant with current UK government guidance and rules regarding homeworking during lockdown – and on the other – not overstepping the employment and data privacy rights of individuals within their workforce. Employers will also hopefully be looking to the future and the potential easing of restrictions. The safe return to 'normal' working life will be top of the agenda.
It is certainly a hard balance to strike in these unprecedented times, and some organisations have adopted (among other precautions) temperature-screening processes at their sites in order to seek to protect the health and safety of their collective workforce.
Below are some key legal issues that employers need to consider when deploying temperature screening processes.
UK employment law
Consent
Individual consent is required before an employer can screen an employee’s temperature at the workplace. It may be possible to rely on an existing provision in an employment contract or handbook to conclude that consent has already been given (eg consent to a medical examination if those conducting the screenings are medical professionals). However, the best approach is to obtain express consent from individuals in relation to temperature screening.
If there is no express consent, it might be possible to imply a term permitting a worker’s participation in the temperature screening (but note that implied consent would not necessarily be sufficient from a UK data protection perspective, as explained below). Consent might be implied for example because the employer owes general common law and statutory duties to ensure individuals are safe at work.
If consent has been given (express or implied), but the individual refuses to take part in the temperature screening, this is potentially a breach of contract entitling the employer to take disciplinary action against the individual. However, in practice, careful thought would be required before taking disciplinary action in the current environment (for example, considering reputational risks).
If those conducting the temperature screenings are selected from the current workforce (although this may be difficult from a UK data protection perspective, as explained below), their consent (ideally in writing) should be obtained in relation to their role in the screening process.
Express consent should also be sought for the screening of any external visitors to the workplace. External visitors should only be permitted in line with current UK government guidance.
Compliance with the Equality Act
The risk of direct discrimination/harassment should be appropriately mitigated if screening is carried out consistently across all relevant workers. However, employers should also be alert to the risk of indirectly discriminating against groups or classes of their workforce by applying blanket policies which detriment any section of the workforce (eg employers must be open to making reasonable adjustments to the screening process for workers with a disability).
Health and safety modifications should also be considered in respect of each worker being screened.
UK data protection law
Processing personal health data
Under the EU general data protection regulation (GDPR), a data subject (ie the person being screened) may consent to their data being processed only if that consent is 'freely given'. Although a visitor to an organisation's premises may be able to freely consent, it is unclear if an employee, worried about losing their job or wages if they refuse testing, could give valid consent in this situation.
The GDPR otherwise provides legal bases under which personal health data can be processed. Certain of these legal bases will need to fulfil additional UK-specific requirements, as set out in the Data Protection Act 2018.
Employers may likely rely on their obligation (under common law and UK health and safety legislation) to ensure the health, safety and welfare of their employees, which they could achieve by screening both employees and visitors to their premises.
Employers might also be able to rely on:
- assessing an employee’s ability to work in the context of preventative and occupational medicine; and/or
- reasons of public health, in each case only if the screening is undertaken by a healthcare professional or someone who owes a statutory duty of confidentiality.
Practical steps for employers
Key to fulfilling the health and safety condition, and good practice when relying on the occupational medicine and public health conditions, is having a policy document in place for the processing of the relevant personal data. The document should explain the employer’s procedures for complying with the GDPR and its retention policies for that data, including how long the data is likely to be kept before it is destroyed. We suggest that employers update their general privacy notices issued to employees or visitors. Employers might also consider making a separate policy document available for any individuals being screened.
The Information Commissioner’s Office (ICO) has acknowledged that, to ensure the health and safety of their employees, employers may reasonably ask individuals if they have experienced COVID-19 symptoms. Similarly, the German and Italian authorities have each noted that employers may conduct screening to prevent the spread of COVID-19. The Dutch data protection authority has taken a stricter approach in barring employers from performing health checks on employees unless the person conducting those checks is an occupational physician.
As always, organisations should minimise the amount of data collected by only asking for necessary information and treating any data collected with appropriate safeguards. The ICO suggests minimising the collection of visitor information by asking them to consider government advice before visiting.