Shared & Halved – IHL series: Bringing the workforce back: COVID-19 testing

On 10 July we held a webinar as part of the IHL series looking at the privacy issues of testing staff and contact track and tracing as we return to the workplace. This included looking at the types of COVID-19 tests that are available, what they can actually tell you and what arrangements to make to carry out the testing. Set out below are the key takeaway points:

Getting staff back to the workplace

• All employers will have their own position regarding their return to work in the near future, subject to the demands / requirements of their business and in accordance with the ongoing Government guidance to do so.
• For those desk-based working from home is possible and will be very much the norm going forward.
• For some there may never need to be an insistence to require people to return to work – other than on a very ad hoc basis.
• For other employers however there will be a need to insist that staff return to work in order to fulfil their contractual obligations – particularly for those who operate within the supply chain, manufacturing, or service sector industries.
• A number of our clients are in recovery mode and have needed to return their employees from furlough in order to aid their recovery plans. Overall, clear communication is required when setting out the reason for why a return to work is necessary at that time, and how that return to work will be managed. This will include the need to make it known to staff that the return to work both is safe and secure and is in accordance with government guidelines, particularly in relation to social distancing, increased hygiene measures, and general arrangements for getting in and out of the workplace, with or without the use of public transport, car parking facilities, etc.
• The employer’s overall duty here is to ensure the health and safety of its employees at work, and that is, to set up a safe system of work when in work.
• As such, communication to staff about future returns to work will of also have to include detail about any applicable testing that the employer may be require its employees to take part in so as to enable their safe return to the workplace, both for themselves and others. Each employers’ position will however be different to the next; each case will require clear thought in terms of careful planning, and the undertaking of necessary COVID-19 risk assessments so as to facilitate a safe and secure return to work.
• There is useful guidance both on the HSE and Government websites, and through additional sources such as ACAS. Compliance with Government guidance will be good evidence of the reasonably practicable steps an employer has taken in respect of ensuring the health and safety of its staff and setting up a safe system of work.

Employer insisting on tests for employees

• Testing is possible and may compliment an employers’ overall plan designed to return staff to work, and minimise the spread of the virus.
• But there is no obligation on an employer to test.
• It will be employer specific and depends upon the type of employer they are, the industry or sector that they work within, and their overall risk profile in this area for the continuation of their business activities.
• Food manufacturing, for example, will have much more stringent health and safety requirements so as to be able to insist on some form of testing before their staff can enter the workplace – this being both appropriate and proportionate to their business activities and the risk to public safety by not undertaking such testing.
• The consideration of whether a form of employee testing is undertaken must however form part of an employer’s COVID-19 risk assessment processes in relation to staff returning to work.

Testing options available

• Temperature testing
  • A number of employers and businesses/airports are using temperature testing as an initial indication of a potential COVID-19 infection.
  • However, new MHRA guidance issued on 3rd July cautions against what can be unreliable thermal testing devices. Temperature test results can fluctuate in healthy people and people with a non symptomatic infection won’t be identified.
  • This can therefore be used as an indicator but the presence of a fever should be followed up by a test for an active infection, which now can be done by the NHS. 
• PCR test
  • The next potential test that an employer could use is a PCR test which is the gold standard test used by the NHS using a method called PCR (polymerase chain reaction) to detect active virus from a nose and throat swab.
  • Sample collection can be done at home or at a testing facility. This will provide information on an active infection. Timing for results can be as short as on the same day or more usually it will take 24-72 hours if the samples need to be shipped to a laboratory.
  • These tests can be quite expensive as they require specialist PCR lab equipment, but there is a very high accuracy for positive results.
  • There however remains the small risk of false negative results whereby someone is infected, but the test does not detect the infection, so a negative result is given.
• Antigen Tests
  • Related to PCR testing, there are also a number of new antigen tests in development which test for the virus in a slightly different way.  Some use different samples such as saliva which would be easier to administer and may be less costly. However, the accuracy of these tests has not been proven so none of these tests are currently available but that may change quickly.
  • I have recently advised a client who has repurposed its activity to develop a novel saliva-based antigen test. I worked with them to negotiate the terms for their involvement in a large clinical trial within the NHS to assess this test against the NHS gold standard. Initial results are expected in only 4-6 weeks after which a submission could be made to the MHRA for a swift approval of the test under the COVID-19 derogation.
• Antibody Tests
  • Test for a previous infection by detecting the presence of antibodies to coronavirus. So if you have a positive test, you have had a COVID-19 infection.
  • However, the results show that there are still a number of false negatives from these tests, which means that people who have had a confirmed COVID-19 infection, still had a negative test result for antibodies to COVID-19.
  • As COVID-19 is such a new disease there is no clear evidence that the presence of antibodies means immunity to COVID-19. However, as the science is evolving rapidly, a positive Ab test result may become more useful/reliable in future so there may be some benefit in collating information now on the prevalence of positive antibody tests results for employees.
  • There are other Ab tests in development such as finger prick tests using a few drops of blood, which at the moment can only be used by medical professionals. However, there is no home COVID-19 test kit that is approved and available and the MHRA issued a statement on 29th May that all home finger prick COVID-19 Ab tests should not be used in the UK.  These tests, once available for home use, would be similar to home pregnancy kits.

Practical issues that businesses should be thinking about

• Most employers won’t have the ability to undertake testing themselves so will need to work with a supplier for those tests.
• There are a number of important considerations for the appointment of a supplier:
• Type of test. Do you want a PCR based test and if so when? For employees coming in to the office with the requirements for regular testing or only when symptomatic or prior to attendance at a meeting or event?
• Do you want to screen all employees with an antibody test? Given that this test cannot confirm immunity.
• Method of sample collection. Will this be at a supplier’s site or home based with employees sending off their own samples?
• It is important to check that the lab to be used has the appropriate accreditation for COVID-19 testing.
• Are you getting results or diagnosis? Are you being provided with test results or an interpretation of those results? This is important as the provision of a diagnosis is likely to be practice of medicine, so a medically qualified person needs to be involved. There are many private medical companies providing testing and they will have medical doctors assisting with diagnosis. Your current private medical supplier may be able to assist, or you could look for another specialist supplier.
• The liability position under a supply of COVID-19 testing contract is important as none of the tests are 100% accurate for positive and negative test results, so a supplier cannot guarantee accuracy in all cases. However, there are potential issues that could arise such as a faulty machine or mixed up samples etc. It will be important to deal with this clearly in any supplier contract.

Key issues in the area of data privacy

• The UK regulator, the ICO has been pragmatic, you are unlikely to be prevented from taking necessary steps to protect your staff but you need to be responsible and apply usual data protection principles: be proportionate, transparent and conduct Data Protection Impact Assessments (DPIA) to reduce risks and as a record to justify your decisions. You will need to consider:
  • the type of work you do
  • the type of premises you have
  • whether working from home is possible
  • can testing be confined to highest-risk roles?
  • can the information be limited so it will only be seen by medically qualified staff, under confidentiality agreements or in positions of responsibility?
  • are the tests effective and reliable? keep in mind the latest government advice
  • do social-distancing measures get around the need for testing?
  • what reaction will your employees have? Many might view any test as being on a par with a medical examination.

So, what would be the data protection lawful bases for doing so?

• If there is a good reason for doing so, you should be able to process health data about COVID-19. You will need two lawful bases:
• For public authorities carrying out their function, public task is likely to be applicable. For other public or private employers, legitimate interests is likely to be appropriate, but you should make your own assessment for your organisation.
• Health data must also have an additional condition for the processing. The relevant lawful basis will be for employment law and health and safety responsibilities. In the UK, this basis requires an employer to have appropriate policies also in place.
• We’re not talking about consent in the employee context

Can we create a questionnaire asking employees about symptoms and COVID-19-related health data?

• In assessing the risks consider: does social distancing, the rules about face coverings, and self-isolation when experiencing symptoms mean this would add little to justify the high-risk processing?

Can we perform temperature checks?

• There are different types of tests and technology used, some of which are more invasive than others:
• A scan that just gives a temperature, that is contactless with no record stored may not even involve personal data but be cautious because your use may make it so!
• Anything more involved with thermal imaging, or facial recognition that makes a decision about a temperature such as having a cross or a tick or a green light will be involving personal data and may amount to automated decision-making which requires extra protections such as the right to have human intervention and a way to contest the decisions made.

Can we do COVID-19 tests?

• Proportionality is the key. You must carefully consider whether your use is fair and proportionate considering:
• What are the potential negative consequences, especially if the test itself has limited effectiveness? Would a voluntary approach achieve the same thing?
• They may be more effective than temperature testing but more invasive and there are issues about false negatives for active infections and what antibody tests actually tell you.
• If the NHS is rolling out active infection testing, there could be arguments that it’s not proportionate for an employer to do this.
• The difference between compulsory and voluntary testing will be significant to your risk assessments.

What about our track and trace records do we have to delete them?

• For certain sectors this is being encouraged, and the personal data involved about employees is contact information and times of working.  You should not collect more than is required or keep it for longer than required unless you normally do so. This is seen as voluntary but there may be indirect ways that this could be enforced, for example, by local authorities for licences or validation for certification etc.

Can we roll this out across all jurisdictions?

• There is no one size fits all approach across Europe, so you’re unlikely to be able to have the same approach across your entire jurisdiction, with some countries banning employers from undertaking certain tests.

Can I make the tests mandatory? If so, how often?

• This is possible, but you must carefully consider whether your use is fair and proportionate:
• What are the potential negative consequences, especially if the test itself has limited effectiveness? Would a voluntary approach achieve the same thing? Is this crucial to the business, or is it just desirable? It’s not like offering a flu jab that gives benefits to both sides but is mostly voluntary, nor yet having the status of an accepted fitness to work qualification at this stage. Your DPIA will be fundamental to justify enforcing tests or the provision of information.
• Timescales must be reasonable and proportionate. If you want to repeat them, justify this
• Privacy information is crucial for transparency including the use of any testing service details.

Can I keep lists of people with symptoms or positive results?

• Yes, if you can justify the tests, you can justify keeping the results. But again, keeping employees’ rights in mind, there must be no unfair treatment, and accurate and up to date information will be vital. It should not be used for unexpected purposes. You should avoid naming people across the business.

Can I use CCTV or other forms of surveillance to monitor whether employees are observing health measures?

• Yes, this may be justified if done openly, and a DPIA has been undertaken to assess that it’s necessary, justified and proportionate and no other more reasonable methods could achieve the same result. There is a code of practice relevant to employee monitoring in the UK to be followed. Be cautious of “use creep”. Going further to use footage for contact tracing and advising about self-isolating needs to be considered carefully, and justified and publicised, employees have legitimate expectations to some privacy, and this may unwittingly reveal sensitive matters

Top practical tips

• Do a DPIA. There are specific issues to record for intrusive technologies like thermal cameras for temperature testing and the ICO might ask you for it.
• Document everything.
• Check the latest industry or sector guidance regularly. We’re finding daily changes for our clients operating globally.
• Check and update your privacy notices.
• You will need policies in place that describe your processing, retention and deletion of the personal data.
• Check and update your records of processing activities.
• If a third party is doing this work for you, do your due diligence and have a proper contract in place including the mandatory terms to protect personal data processing.