*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Employee health screening and data protection


There are variations in approach taken by the UK Government and the three devolved administrations in Scotland, Wales and Northern Ireland when it comes to employee health screening. This means that employers should ensure that they comply with the relevant local requirements for each of their premises, including any local differences that may be introduced.

When its employees return to work, if a business wants to carry out an employee health screening to check whether they have symptoms of COVID-19 or the virus itself, there will be data protection implications. This is because such tests will involve the processing of information that relates to an identified or identifiable individual. That means handling it lawfully, fairly and transparently. In fact, if, as is most likely, screening relates to health data it must be even more carefully protected due to the fact that it is “special category” or sensitive personal data.  Businesses will also have to make sure that they have an appropriate policy document in place.

Handling data lawfully means being able to rely on a legal basis, as provided for in the GDPR.  Although this basis could be relying on employee consent, this is fraught with difficulty. This is because an employee might feel he/she has no real choice but to agree. The consent would therefore be deemed invalid.

However, there is an alternative – businesses have a legal obligation to ensure the health and safety of their workplace, which means that they have a ‘legitimate interest’ in carrying out screening and can rely on this as a legal basis (as long as they are not collecting or sharing irrelevant or unnecessary data).

Note that what is relevant and necessary data to collect may change as government guidance is modified, so care needs to be exercised.

In addition, to show that the processing of data obtained from screening is compliant with the GDPR, a business will need to take note of the accountability principle – which makes businesses not only responsible for complying with the GDPR, but also says that they must be able to demonstrate their compliance. One way of demonstrating accountability is through a data protection impact assessment (DPIA).

If your organisation is going to undertake testing and process health information, then you should conduct a DPIA focussing on the new areas of risk.  This DPIA should set out:

  • the activity being proposed;
  • the data protection risks;
  • whether the proposed activity is necessary and proportionate;
  • the mitigating actions that can be put in place to counter the risks; and
  • a plan or confirmation that mitigation has been effective.

Transparency is very important – if a business wants to test employees for COVID-19 or check for symptoms, it should be clear about what decisions it will make with that information. In addition, it should have clear and accessible privacy information in place for employees, before any health data processing begins. (Although the ICO acknowledges: “We recognise … that in this exceptional time it may not be possible to provide detailed information”).

Before carrying out any tests, a business should, amongst other things, let its staff know what personal data is required, what it will be used for, and who it will share it with.

Obviously, all businesses should ensure that they have appropriate technical and organisational security measures in place. If an organisation is considering screening its employees due to the current health crisis, it would be prudent to review existing arrangements.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group