As COVID-19 restrictions are lifted and a phased return to the office commences, employers must interpret the guidance available to them and deploy best efforts to protect employees. There is a range of new measures that employers may consider to protect the health and safety of employees in the workplace. One such measure is the act of checking the employee’s temperature on a daily basis as recommended by the World Health Organisation. In this article, we will review the current guidance for the UK and Ireland in respect of temperature screenings and what considerations should be taken as a data controller before implementing such measures.
Is it personal data?
The Belgian Supervisory Authority has offered clarity in their recent guidance, advising that the act of taking a temperature without recording is not personal data. However, if the data is automatically processed or recorded by the employer, this activity falls within the scope of Regulation (EU) 2016/679 (GDPR). In a practical sense, it would be very difficult for an employer to take any action in response to a high reading without creating a record relating to the employee’s health.
Where an employer decides to carry out temperature screenings, they must determine the lawfulness of processing under Article 6 and 9 of the GDPR. Employers should note that under Article 6, it is not advisable to rely upon the lawful basis of consent (Article 6 (a)) where there is an imbalance of power such as an employee/employer relationship. The Information Commission’s Office (ICO) has advised that Article 9(2)(b) may be relied upon where the processing is necessary for the purposes of carrying out employment obligations in the context of relevant health and safety legislation.
Guidance – United Kingdom
The Government of the United Kingdom has not directly addressed the issue of temperature checking employees in their general guidance. Instead, they suggest that employers conduct a comprehensive risk assessment and to consult employees on how best to manage the present risks.
A Data Protection Impact Assessment (DPIA) is advisable to enable the organisation to assess data protection risks appropriately and to make informed decisions on how they wish to process personal data. In line with the UK guidance, employee consultations can be incorporated into the DPIA process. Trilateral offers DPIA’s to assess and identify organisational risks and establish best practices for ongoing compliance.
Guidance for employers within the UK will also vary depending on the region in which the employer operates. Further guidance broken down by region can be found here.
What does the ICO say?
The ICO acknowledges that employers may process health data as part of workplace screenings, but only where there is a very good reason to do so. Under the accountability principle (GDPR), the expectation remains that employers have fully assessed the proposed processing activity and comply with the current requirements under data protection law.
Guidance – Republic of Ireland
Similarly to the UK, the Government of Ireland’s Return to Work Safely Protocol does not require or instruct employers to implement temperature screenings. However, the protocol stipulates that where employers have implemented temperature screenings, employees must comply with these checks. In respect of enforcing such checks, there is no identified legal underpinning for mandating this requirement in respect of employees.
On balance with the rights of the data subject, we would advise that employers work with employees to accommodate any concerns and to handle any objections rather than attempting to enforce mandatory processing from the outset.
What does the DPC say?
The Data Protection Commission has not commented directly on temperature screenings. In their March guidance, the DPC acknowledges that employers have a legal obligation to protect the health of their employees and maintain a safe place of work. As with the ICO guidance, the DPC strongly recommends not to roll out any stringent measures without a strong justification and an appropriate assessment to cover the processing.
Employers should look to ways of reducing the likelihood that employees will present with symptoms at the workplace, minimising the instances in which they will need to handle such health data directly. Such measures may include revising the current working and sick leave policies to prevent instances where an employee attends the workplace while symptomatic.
Considerations as to where these checks are conducted, by whom and how the confidentiality and privacy of this employee is protected must be undertaken. Where an employee presents with a high temperature, which may or may not be caused by COVID-19, the company protocol should be carried out in a manner that is as private as is possible. Additional privacy may be provided by considering where the screening and isolation will take place, will employees be working or passing through these areas at any time and whether these areas be blocked off and access limited to authorised persons only.
Employees are unfortunately vulnerable to discrimination and stigmatisation at this time and every effort should be made to keep any involvement in protocols confidential. The implementation of such measures will be required based upon the risk present and type of working conditions. In some instances, it may be appropriate to allow employees to be provided with the necessary equipment to self-screen. However, these measures are put in place, effectively combating the spread of COVID-19 will require a concerted effort by both employer and employee.
While the opinion as to whether an employer is justified in carrying out temperature checks varies, we advise that the legislation and guidance at a national level are reviewed in detail as part of your continual assessments of COVID measures.
The current guidance does not direct, nor does it prohibit the existence of employee temperature screenings; however, where employers wish to implement such measures at a minimum they should:
- Conduct a DPIA to assess how their organisation can comply with data protection law and mitigate risks;
- Document the procedure and update all relevant policies for both practical and transparency purposes;
- Determine who will conduct temperature checks and how these will be carried out (including considerations to self-screening);
- Decide how objections and concerns will be handled and by whom;
- Implement measures that are proportionate to the risk present (these measures may be adapted as the risk landscape changes).
From reviewing the guidance available, it is clear that employers must determine for themselves how to balance competing demands while complying with the legislation in place. To achieve this, a risk-based and flexible approach with the aim of accommodating all employees in working towards providing a safe working place for all should be taken.
Trilateral offers DPIA, compliance support, and data governance services that can help you evaluate your data protection needs and establish best practices for ongoing organisational compliance. For more information please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.