UK Issues Updated Guidance for Employers with COVID-19 Testing Programs

By Rosemarie Lally, J.D. November 9, 2020
LIKE SAVE
Houses of Parliament and Big Ben

​Even as a spike in COVID-19 cases propelled the U.K. government to announce a new national lockdown starting Nov. 5, employers are laying the groundwork in preparation to reopen more fully when possible. They know that implementation of internal testing programs to ensure employee safety is key to a smooth reopening.

The U.K. government issued updated guidance Oct. 8 laying out employer best practices to ensure a testing program's reliability and effectiveness.

The National Health Service (NHS), England's publicly funded health care system, offers COVID-19 testing, but many employers have access to private health care plans that also offer testing.

"By offering such schemes to their employees, employers can take proactive steps to help protect the safety and well-being of their personnel and any visitors," said Philip Thomas, an attorney with Reed Smith in London. "Private testing is convenient, speedy and may help take some pressure off NHS resources."

Nonetheless, because testing programs involve the use of personal data, employers implementing internal testing are faced with serious data-protection concerns. Initial guidance was issued in May by the U.K. Information Commissioner's Office. It provided six data-protection steps for organizations choosing to test their employees for COVID-19:

  • Only collect and use necessary data. An approach that is reasonable, fair and proportionate to the circumstances is unlikely to raise data-protection concerns.
  • Keep data collection to a minimum, collecting only the information needed to implement testing measures appropriately and effectively.
  • Be clear, open and honest with employees about their data, how it will be used, whom it will be shared with and how long it will be kept. This can be done with a privacy notice.
  • Treat employees fairly and consider any detriment they might suffer as a result of the testing policy.
  • Keep people's information secure and hold it only for as long as necessary.
  • Allow staff to exercise their information rights, such as the right to access or correct personal data.

Recently updated guidance issued by the U.K. Department of Health & Social Care fleshes out employer obligations with information on what test results mean, the testing process, collecting results, communicating results to staff, and what employers can and cannot do with results.

Deciding to Initiate Internal Testing

As a first step in deciding whether to initiate a testing program, the recent guidance advises employers to be certain of:

  • Who the testing will cover.
  • What the focus of the program is (i.e., staff with symptoms or without symptoms).
  • How often staff will be tested.
  • Appropriate facilities for carrying out the tests.
  • Whether a virus or antibody test should be used.
  • What the arrangements will be for any individual who declines testing.
  • How the employer will use test results, including its policies on handling health information, absence from work, self-isolation and nondiscrimination.
  • The compatibility of the program with its legal responsibilities to staff.
  • The affordability of implementing a testing program.

"Before initiating a workplace testing program, employers need to be crystal clear about what their objectives are so that they can communicate those objectives clearly and transparently to their employees," Thomas said.

Many employers are outsourcing their testing programs to qualified medical providers, according to Katherine Gibson, an attorney with DLA Piper in London. Employers should partner with experienced occupational health providers. Implementing mandatory testing is tricky as this is usually reserved for safety critical positions, she cautioned.

"If it's an ordinary office job, it's better to keep the testing voluntary," Gibson explained. If the testing program is voluntary, an employee can refuse to participate without fear of retaliation.

Communicating Test Results

Employers should ensure that laboratories processing the tests meet their legal obligation to notify Public Health England, the executive agency of the U.K. Department of Health & Social Care, of any positive results. Employers and third-party health care providers are legally obligated to share results with the person tested. They are encouraged to communicate any potential or confirmed COVID-19 cases to the workforce but without naming the individuals.

"An employee receiving a positive result is told to self-isolate for 10 days," Gibson said. "Generally, if an employee is asymptomatic or feels well enough to work and has the type of job that can accommodate working from home, employers will facilitate that. Otherwise, the employee is permitted to take sick leave."

Data-Protection Considerations

Although data-protection law does not prevent employers from taking appropriate health and safety measures in the workplace, data-protection considerations must be considered when processing personal data, particularly health data, according to the guidance.

"Prior to implementing testing, an employer should carefully carry out a data protection impact assessment," Gibson recommended. "Employers should also make sure employees understand the organization's fair processing notice," a privacy notice required by the General Data Protection Regulation. "Transparency is needed so employees can decide whether to submit to testing."

Thomas also emphasized the importance of proper data protection, saying employers should have a clear policy on how they will handle, share and store any personal data that emerges from any testing program. Furthermore, since employer data-protection policies may have been prepared without COVID-19 in mind, they may need to be refreshed to comply with applicable data-protection laws.

When an employee tests positive in a workplace program, the employer has a "difficult balance to strike" in notifying others who may have been in close contact with the sick worker, Thomas said. 

Data rules require that even permissible disclosure should be kept to an absolute minimum to achieve the processing purpose, Thomas cautioned. In most cases, it should be possible to notify an employee that he or she has been exposed to a colleague who has tested positive without naming names.

Rosemarie Lally, J.D., is a freelance legal writer based in Washington, D.C.

LIKE SAVE

Job Finder

Find an HR Job Near You
Search Jobs

SHRM CONNECT

Find your peers in SHRM's online community.

Find your peers in SHRM's online community.

Join SHRM Connect

SPONSOR OFFERS

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.