UK ICO Offers Guidance on Back-to-Work Data Privacy Issues

May 13, 2020Alerts

The United Kingdom's Information Commissioners Office has issued guidance for employers on data protection issues related to the return to the workplace as part of the COVID-19 "new normal."

General Principles

Legal Basis

  • Testing for symptoms is processing of personal data and subject to the General Data Protection Regulation (GDPR).
  • For private employers, legitimate interests is likely to be the appropriate legal basis for processing
  • For health data, employers must also identify an Article 9 condition for processing (e.g Article 9(2)(b) - employer's obligations on health and safety).

Data Minimization

  • For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfill your purpose.
  • In order to not collect too much data, you must ensure that it is: adequate – enough to properly fulfill your stated purpose; relevant – has a rational link to that purpose; and limited to what is necessary – you do not hold more than you need for that purpose.


  • Be clear, open and honest with employees from the start about how and why you wish to use their personal data.
  • Have clear and accessible privacy information in place for employees, before any health data processing begins.
  • The ICO recognizes that in some cases it may not be possible to provide detailed informationi in advance.

Data Subject Rights

  • Ensure that staff are able to exercise their information rights.
  • Put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis.
  • For example, setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate.

Employee Testing: Possible, But


  • Be clear about what decisions you will make with that information.
  • Before carrying out any tests, you should at least let your staff know:
    • what personal data is required
    • what it will be used for
    • who you will share it with
    • how long you intend to keep the data
  • If possible, provide employees with the opportunity to discuss the collection of such data if they have any concerns.

Data Protection Impact Assessments (DPIA)

You should conduct a DPIA for the testing. This DPIA should set out:

  • the activity being proposed
  • the data protection risks
  • whether the proposed activity is necessary and proportionate
  • the mitigating actions that can be put in place to counter the risks
  • a plan or confirmation that mitigation has been effective

Data Minimization

  • For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions.
  • Consider which testing options are available, to ensure that you are only collecting results that are necessary and proportionate.
  • As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.

Temperature Checks/Thermal Cameras: Possible, But

  • As this is more intrusive technology, give specific thought to the purpose and context of its use and be able to make the case for using it.
  • Make sure that any monitoring of employees is necessary and proportionate, and in keeping with their reasonable expectations.
  • Think about whether you can achieve the same results through other, less privacy-intrusive means. If so, then the monitoring may not be considered proportionate.
  • You can use the surveillance camera DPIA template to this end.

Maintaining Lists of Employees who Tested Positive: Possible, But

  • Ensure the use of the data is actually necessary and relevant for your stated purpose.
  • Ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.
  • Ensure that such lists do not result in any unfair or harmful treatment of employees (e.g. from inaccurate data or data which isn't up to date).
  • Don't use the data for any purpose which is not reasonably expected.

Disclosing an Employee's Condition: Possible, But

  • Keep staff informed about potential or confirmed COVID-19 cases among their colleagues.
  • However, you should avoid naming individuals if possible.
  • Do not provide more information than is necessary.

Receiving Test Results from an Employee: Possible, But

  • Have due regard to the security of that data.
  • Consider any duty of confidentiality owed to those individuals who have provided test results.
  • Make sure your use of the data is necessary and relevant.
  • Do not collect or share irrelevant or excessive data to authorities if this is not required.

Additional Information