Since the announcement of the ‘on-site testing’ to identify employees who unknowingly have the virus, there have been some further updates which are important to understand
Testing kits will be available to register for with government funding up until 31 March 2021. So it is important to plan ahead.
Employers have a common law and implied contractual duty to take reasonable care for the health and safety of every worker. Additionally, the Health and Safety at Work etc. Act 1974 requires employers to take all reasonably practicable steps to ensure the health, safety and welfare at work of all their workers.
Employers can offer workplace testing as a way to reduce the risk to employees’ health during the pandemic. Using a workplace Testing Policy will provide your employees with information on the internal COVID-19 testing programme.
Information about employees’ health, including whether or not they have tested positive for coronavirus, is special category data under the UK General Data Protection Regulation (UK GDPR). Employers considering testing employees for coronavirus should do so only if they can comply with their UK GDPR obligations relating to the processing of such data.
Please refer to the ICO’s guidance which states that employers are likely to be able to rely on their health and safety duties as a ground for processing special category data for workplace testing. However, the ICO also says that employers should:
- Carry out a data protection impact assessment before carrying out testing
- Process employees’ health data only if this is necessary and proportionate
- Collect the minimum data necessary and ensure that this is kept secure
- Provide employees with information, for example when arranging a test or going for a test including details of: what health data will be collected; what it will be used for; who (if anyone) it will be shared with; and for how long it will be kept.
Employers using a third-party testing provider needs to satisfy itself that the provider understands its responsibilities as a processor of data and has in place appropriate technical and organisational measures to meet the requirements of the UK GDPR and ensure the protection of the rights of the employees. There must be a contract in place between the employer and the third party setting out specific details relating to the processing and the security.
BOSS’ HS&E teams are here for support and guidance, do not hesitate to email them on CoronaHelp@bossfederation.co.uk if you have any doubts, or to discuss how they can support you.