Guidance for employers on testing their workforce for COVID-19

Updated as of 2 June 2020

As workforces begin returning to offices, schools, shops and construction sites, employers are turning their attention to how best to keep their workforce safe. In addition to the practical return to work considerations which we have outlined here, one option which is being considered by employers is the possibility of workforce Covid-19 testing. This article outlines the data protection implications of such testing.

There are two key types of Covid-19 testing. Virus swab (PCR) tests which are used to identify if an individual has the virus at the point the swab is taken, and antibody tests which are used to detect antibodies to the Covid-19 virus to see if individuals have previously had the virus and have developed an immune response. Employers may also consider using temperature checks as a less invasive (but less accurate) method of Covid-19 testing.

The UK’s Information Commissioner’s Office (ICO) has made it clear that workforce testing will be possible provided employers comply with applicable data protection laws, namely the GDPR and the Data Protection Act 2018.

Coronavirus screening records and results, together with other health information, is a ‘special category’ of personal data which requires an additional layer of protection due to its sensitive nature.

Special category personal data may only be processed where there is both a lawful basis for processing personal data under Article 6 GDPR and where there is an additional condition for processing that special category personal data. Those additional conditions for processing special category personal data are set out in Article 9 GDPR and Schedule 1 DPA 2018.

The main lawful bases on which organisations may perform coronavirus testing and process the related special category data will be:

  • where the data subject has given their explicit consent (discussed in more detail below); or
  • where the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law, such as ensuring the health, safety and welfare of employees.

It is important for employers to determine and document the condition for processing special category data before the processing begins. In many cases it will also be necessary to put in place an ‘appropriate policy document’ in order to meet a Schedule 1 condition for processing under the DPA 2018.

Whilst it is possible for organisations to rely on consent as the legal basis for collecting data regarding visitors and other service users, employers who seek to rely on consent should be mindful that in an employment context, unless the screening is very clearly ‘optional’ and the employee will not be in any way penalised for refusing consent, consent will deemed to be invalid due to the imbalance of power between the employer and the employee – meaning that the consent is not freely given because the employee feels compelled to submit to the screen. In these circumstances, the employer should consider whether another condition is more appropriate, for example, where the processing is necessary for ensuring the health, safety and welfare of employees.

In order to demonstrate that the processing of the screening data is compliant with data protection law, employers will need to complete a data protection impact assessment (DPIA) which sets out:

  • the activity being proposed
  • the data protection risks
  • whether the proposed activity is necessary and proportionate
  • the mitigating actions that can be put in place to counter the risks
  • a plan or confirmation that mitigation has been effective

In addition to having a lawful basis and appropriate condition for processing special category data and completing a DPIA, employers also need to comply with the GDPR’s minimisation principle. This requires employers to consider whether the personal data being collected is adequate, relevant and limited to what is necessary in relation to the relevant purpose. In the context of coronavirus testing, this requires the employer to demonstrate that there is a valid reason for testing individuals and obtaining the results from tests and to conclude that the same goals could not be achieved without the collection of special category personal data by, for example:

  • providing remote working options
  • implementing clear procedures on self-isolation in case of suspected contagion
  • complying with good practice hygiene recommendations, such as making hand sanitiser and PPE available and conducting regular clearing
  • restricting interpersonal contact

Where employers process health data in relation to employees, it is important to ensure that the data processing is secure and that any duty of confidentiality owed to employees is maintained. Employers must also be mindful of their employment law obligations and ensure that results of Covid-19 screening tests are not used in a way which results in the unfair or harmful treatment of employees.

Employers should ensure that employees are kept informed about potential or confirmed coronavirus cases amongst the workforce with whom they are likely to have contact or within premises they are likely to enter. However, employers should not provide more information than is necessary and, where possible, employees should not be named. 

Data protection law in the UK requires employers to be clear, open and honest with employees about how their personal data is going to be used. This requires employees to have privacy notices making it clear to employees:

  • why Covid-19 tests are being performed
  • what personal data is being collected
  • what that personal data will be used for
  • what decisions will be made based on that personal data
  • who the test results will shared with and why
  • how long the personal data will be kept for

Employers should also provide employees with the opportunity to discuss the performance of Covid-19 testing and the collection of personal data if they have any concerns.

The Information Commissioner’s Office (ICO) has launched a data protection and coronavirus information hub containing information for businesses and individuals on the collection and use of personal data in relation to coronavirus – 

In its guidance the ICO recognises “the unprecedented challenges that we are all facing” and understands that “resources and data protection practices may be deviated from usual compliance”. The ICO reassures that “it will not penalise organisations that need to prioritise other areas or adapt their usual approach” during these challenging times. Whilst the ICO does not have the power to change to the legislation to extend the timescales for compliance with subject access requests, the ICO has said that it will keep individuals up-to-date through its communication channels that “there may be some understandable delays in relation to their information rights request”.


For more guidance, and further information, visit our Coronavirus hub.