Click here to view this briefing in PDF format

 

Introduction

While serial COVID-19 testing programmes of workers in nursing homes and food production facilities were rolled out by the HSE there is no general Government guidance or regulation compelling employees to be tested, or to submit to COVID-19 tests. As such, businesses that are not part of a serial testing programme would have to source, and pay for, COVID-19 tests privately.  So, is such an approach legal? Our Employment Group and Technology Group consider the employment law and GDPR issues businesses should take into account.

 

What if an employee objects to undergoing a COVID-19 test?

This might arise in the case of an employee who is not a close contact of a confirmed COVID-19 case and/or who is not displaying any COVID-19 symptoms and who therefore questions the necessity or legality of being compelled to submit to a test before being allowed on site. An employee cannot be forced by his/her employer to take a test, so the question is really about the implications for an employee who refuses to submit to a test.

There are competing interests at play between the employer’s legitimate interests in protecting its business and the health and safety of its employees, and an employee’s constitutional right to bodily integrity.  While most employees are likely to agree to be tested where there is a reasonable and proportionate basis for doing so, where agreement is not forthcoming, it becomes a question of whether a requirement to be tested is a reasonable instruction from management.

Where an employee refuses to submit to testing, an employer may understandably be reluctant to invoke a disciplinary process against the employee. Indeed, disciplinary action would not seem to be an appropriate or proportionate response. However, if the employee’s job cannot be done from home, the employer may decline to allow the employee on site (i.e. not to force the employee to submit to a test, but equally, not to permit him/her to work on site without a negative test result), and – importantly – to decide not to pay the employee for as long as he/she continues to refuse to undergo a COVID-19 testing.

An employee whose pay is withheld may make a complaint to the Workplace Relations Commission under the Payment of Wages Act 1991 that there has been a unilateral deduction from their pay. The employer will have to weigh up the risk of such claims against other factors, such as the number of objections relative to the size of the total workforce, the risk of COVID-19 spreading throughout a site with the consequent threat to employee health, supply chains, shipments and deliveries and the employer being forced to shut down. Furthermore, in a unionised employment the attitude of the relevant trade union(s) to mandatory testing will be an important consideration for the employer.

 

Data Protection Considerations

Legal Bases
As COVID-19 testing involves the processing of health data, employers would need to identify a legal basis for the attendant processing of personal data under Article 6 of the GDPR, and an exemption for the processing of special categories of data under Article 9 of the GDPR.

 

Article 6 GDPR
As noted above, there is no Government guidance or regulation compelling employees to be tested or to submit to COVID-19 tests.

As such, many employers will not be able to rely on Article 6(1)(c) (that the processing is necessary to comply with a legal obligation, under the Safety, Health and Welfare at Work Act 2005 or otherwise) or Article 6(1)(e) (that the processing is necessary to perform a task in the public interest) in the absence of a clear legislative mandate to conduct COVID-19 testing.

Further, any consent given by an employee to COVID-19 testing (e.g. by completing a written consent form) is likely to be regarded as invalid by the DPC, as the power imbalance between employer and employee would impinge on the “freely given” nature of the consent.  This would particularly be the case where the consequence of withholding consent would be their exclusion from the workplace and the non-payment of wages.

If an employer decides to base the processing on Article 6(1)(f) (i.e. that the processing is necessary to achieve its legitimate interests and those of its employees), it will have to demonstrate the necessity and proportionality of mandatory COVID-19 testing by reference to circumstances pertaining in the workplace, and it must be satisfied that it has sufficiently mitigated any countervailing risks to the rights and freedoms of staff.

The threshold for demonstrating that such processing is necessary and proportionate, and that sufficient safeguards have been adopted to protect individuals’ personal data, is very high.

In this regard, it is worth noting that the Data Protection Commission (“DPC”) has already adopted a narrow view of when temperature screening (which is naturally less intrusive than COVID-19 testing) could be conducted in compliance with data protection law, and it would be likely to interrogate the necessity and proportionality of mandatory COVID-19 testing on foot of any employee complaint.

In deciding if mandatory COVID-19 testing is in fact necessary and proportionate, there are a number of factors to be considered. For example has there been a high incidence of employees who have tested positive for COVID-19? Have there been any outbreaks on the site? Is the employer satisfied that other infection control procedures (e.g. mask wearing, hand hygiene, social distancing etc.) have not proved sufficiently effective in suppressing the spread of COVID-19 on site?

The employer should also consider the incidence rate of COVID-19 in the wider community, and re-assess on a weekly basis if mandatory COVID-19 testing is justified by reference to the prevalence of COVID-19 (as significant changes to these metrics can occur in short periods of time). For example, it may be more difficult to insist upon mandatory COVID-19

testing that was introduced during “Level 5 restrictions” if the region/country subsequently moves to “Level 2 restrictions.”

In short, an employer will be required to demonstrate that mandatory testing would be notably more effective in reducing the spread of COVID-19 (which requires some level of thought as to when testing should be conducted and in respect of which staff e.g. so test results will arrive before employees present for work etc.), and that other measures have proved insufficient for the employer’s purposes.

 

Article 9 Exemption
Save for special circumstances where an employer might have special obligations towards end-users (e.g. certain sectors of the pharmaceutical industry), the only exemption available to an employer is likely to be Article 9(2)(h) (that processing is necessary for the purposes of medical diagnosis, i.e. confirming whether an employee has COVID-19, in furtherance of the broader aim of suppressing the spread of COVID-19 in the workforce).

Reliance on this exemption is subject to further conditions under section 52 of the Data Protection Act 2018, including that the processing would need to be conducted under the responsibility of a registered health practitioner.

 

Data Protection Impact Assessments
Employers should conduct a thorough data protection impact assessment (DPIA) before introducing mandatory COVID-19 testing. Indeed, a DPIA is legally required under Article 35 GDPR insofar as the rollout of testing would involve the large-scale processing of health data.

Ideally, any DPIA should be informed by any consultation that has been conducted with employees and employee representative bodies such as trade unions, in relation to the risks and the measures the employer will adopt to mitigate the risks to employees’ data.

 

Mitigating Measures
Where employers decide to conduct mandatory COVID-19 testing, it is particularly important that the principles of data minimisation and storage limitation under Article 5 of the GDPR are complied with, in terms of the data processed and retained (i.e. personal data should not be stored for longer, or shared more widely, than is strictly necessary).

High levels of transparency are also required.  In this regard, it is crucial to clearly communicate the rationale behind the testing to all affected staff (and to adequately address any data protection queries or concerns that are raised).

The employer also needs to satisfy itself as to the testing provider’s security controls (including controls around access limitation and retention) and ensure that the testing provider processes the personal data in accordance with data protection law. In this context, the employer will need to enter into appropriate data processing agreements with the testing provider.

 

Mandatory testing of Contractors
In addition to employees, the employer may have an indirect worker population on site e.g. independent contractors, agency workers etc. The risk assessment might be different for contractors, particularly if it means that their personal data will be shared more widely (i.e. with the entity that supplies the contractors to the employer), and if it could be said that the processing would not be within their reasonable expectations to the same extent as it might be for employees.

Therefore, consideration needs to be given as to what level of information sharing is strictly necessary and to ensure that the measures adopted mitigate any contractor-specific risks.

 

Data transfers involving UK companies
What if a testing provider is based in the UK and employee data is being shared with that provider and/or being stored in the UK?  Helpfully, as part of the EU-UK Trade and Cooperation Agreement, a temporary arrangement has been put in place between the EU and the UK to allow for the transfer of data from the EEA to the UK until the European Commission adopts an adequacy decision in respect of the UK, or until 30 April 2021 (extendable to 30 June 2021 absent any objection).

However, should any COVID-19 testing and subsequent data transfers continue where the temporary arrangement has not been extended and/or an adequacy decision has not been made by the European Commission, employers will need to ensure that the transferred data will be afforded an “essentially equivalent” level of protection to that afforded by the GDPR, and adopt additional measures in accordance with Chapter V GDPR (such as Standard Contractual Clauses).

 

Benefit-in-Kind (“BIK”)

Finally, in a recent update on its website, Irish Revenue noted that due to health and safety concerns arising from COVID-19, an employer may perform COVID-19 testing on an employee at the workplace, or may engage a third party to do such testing on behalf of the employer. Revenue confirmed that in such circumstances, no BIK will arise and that where an employer provides a COVID-19 test kit to an employee for self-administration, no BIK will arise.