Good afternoon everybody, and welcome to this afternoon's Shakespeare Martineau Webinar on Temperature Testing in the Workplace. Just by way of introduction, my name is John Heuvel I'm a partner in the employment team and I'm joined by my colleague, Kim Walker, partner in our commercial team specializing in amongst other things data protection.
Before we get started on our talk today, just a few housekeeping points, this is a live session, so we're hoping to get lots of questions from those of you who are listening in. If you want to raise a question, at the bottom of your screen, there's a Q and A icon. You click on that, and open the box, and you can type in your question there, and we'll try and answer as many of them as we can during the course of the session. We're scheduled to finish in about 10 to 20 minutes time.
Obviously, if there are a couple of questions still by the end, we will just finish those off before we, before we wrap up without any. Further ado, I'll get started. So by way of background, it's not well known that temperature testing is very much part And parcel of the current coronavirus high temperature is known to be a symptom of the virus. And if we look at the government guidance, it makes it clear that if you are having experiencing a high temperature that you're expected to stay at home self isolate for seven days.
Interestingly, though, the requirement to take temperature's isn't actually a measure that is being officially recommended by the government nor indeed by the WHO.
So, this sort of opens up a series of questions about whether or not it's appropriate to take temperatures of people visiting your premises.
There's an employment side to it, and we will come across that as we go through today, but I really want to start with the GDPR side, because obviously, taking a temperature is processing somebody's data. And as a general principle under the GDPR, it's a requirement that data is processed lawfully fairly and transparently. I think we really need to serve unpick those terms in this particular context. I'm trying to understand what's meant and therefore work out what, what the right course of action is. So, Kim, just starting off with the first of those concepts of resourceful processing in this context, What does that really mean in practice?
Yes, you're right on it, taking someone's temperature, even if you don't record the data, even if you don't record that temperature is processing and that. So that's something to get clear right from the start. And so just the act of taking someone's temperature has to be done lawfully fairly and transparently, lawfully. in the context of the GDPR means that that needs to be one of the law, well, one of the lawful basis for processing the data needs to to apply. And, that's going to depend on your situation. Whether your testing employees or whether you're testing visitors, to Toggle to your factory, or to a shop, or something. If it's in. Either case.
or in whatever case, you have to have a lawful basis, which would usually be something like compliance with the legal obligation for that. It's in everyone's legitimate interests, that temperatures are taken. But, because we're talking about health data in this case, which is called special category data, we need an additional lawful basis. one that applies and justifies the collection of the Special Category data. And, again, that is specifically going to depend on whose data you're collecting.
The basis on which you're likely to rely is you're exercising rights in the field of employment.
In other words, you have it, a duty to, to look after the health and safety of your employees, and therefore your exercising your right to do that.
It's worth mentioning here that the GDPR sets out to these these lawful bases.
But, health data is one of the areas where the GDPR allows national governments to sort of set their own additional rules.
and we have done so well, the UK has done so. So it's very important.
Look at the Data Protection Act as well when you're looking at lawful bases.
And if you're going to rely on your rights under an employment contract, rights as an employer, duties as an employer, then you see the Data Protection Act says you need also to have a policy document in place in order to be able to rely on that. And that policy document needs to spell out to the employees.
How you're complying with all. The data protection principles, data minimization, and how long you're going to keep the data for and what, what pressure, What processes you have in place to ensure that the temperature data is deleted after an appropriate time.
And also, if you're going to rely on that basis for collecting health data, you need to have enhanced records processing in accordance with the Data Protection Act.
Which, which basically, you need to record, how you go, which condition of the Data Protection Act you're relying on in order to collect the data, and how you're carrying out the data deletion requirements, and so on.
So, that policy, is that really an element of the transparency requirement, but it's required. It is, we'll come onto, obviously, the privacy notice requirement, which is sort of, which is clearly front and center in the, in the transparency in complying with the transparency requirement. But the policy document is A, is an additional requirement in order for the processing to be to be your foot in the first place.
So, you don't have the policy, The, the policy document, you don't regularly update it and keep it really six in place, really six months, I think, and what the records, I think I've got to be kept in place really six months and then the collection in the first place isn't lawful.
So if an employer wants to, decides, it's about to re-open its premises and would like to start testing employees, What's the first step that it needs to undertake? What does it stop need to do first?
Well, I think a data protection impact assessment is the place to start the GDPR, as, it will know, requires, or has an accountability principle.
So, it requires you, not just to comply with state the law, but also to show how you comply with the law.
And the GDPR requires data protection impact assessments in certain circumstances, whether, for example, a high risk to the rights and freedoms of an individual, or you're processing special category data, such as health data, on a, on A, on a large scale. And so, the ICO guidance on their website makes it pretty clear that if you're temperature testing, you should carry out a ..., which is a form effectively. It's a questionnaire.
two, nailed down, you know, the specific purpose for which you're doing the temperature testing. Look at all the risks that could arise out of it.
Identify your lawful purpose and look at possible mitigation of any of the risks that you identified.
So, that way she could do it in a less intrusive way or with less risk to the employee's health data, security, and so on. So, I would always start with the data protection impact assessment.
There's there's a form on the on the ICO website or which is a very generic form Or, you know, we supply my draft.
I've got a very specific TPI A four temperature testing designed to sort of draw out the specific information that you require, can imagine if they do need to be quite specific. Presumably, the way in which we're taking the test. Whether you're using thermal imaging or are more specific one-on-one testing will will make a difference to to what questions you need to ask in that impact. Ultimately, you're trying to show that what You're doing this, because it's going to be lawful fair and transparent and furnace.
one element of fairness is you know what with the employee reasonably expect or the individual is not employ, reasonably expect when you take the temperature. And that's going to be set by what you say in the privacy notice.
But also, it's going to be affected by the way you take temperature. So for example, you may decide, having looked at your, it looked at all the risks that, you know, forehead temperature testing is really all that's required in this case, rather than full body scanners.
Because you've got, in order to be lawful as well as having a lawful basis for the collection, you've got to do it in accordance with the Data Protection principles, such as data minimization.
So don't collect more data than is absolutely necessary for the purpose that you've identified for, so, So if you saw a full body scan, I might reveal other health information, which is irrelevant to, you know, the cozad assessment that you're trying to take. If tried to do so, you're absolutely right. The technical way you go about it is relevant to one of the things you have to address in your, in your DPLA. And how are we doing this? Why we do that? Is there are less intrusive way we can do it.
Once we're on the lawful basis, we've got a question that's come in. Which is, Can we rely on Article 6, 1 C as we have obligations under the health safety and work out to employees, students and visitors? I suspect that's from a university, given the question.
So, that's the question about the lawful basis.
Clearly, if, if you can can say that what you're doing is necessary in order to comply with a legal obligation, then yes, you can, you can rely on that local debase rhythm, that local basis.
I mean, there are other possible lawful bases such as, you know, that there's a substantial public interest in the, in the area of public health.
And that might apply if you're in the middle of a, you know, kogod hotspot or something.
But it's quite hard to rely on that one. And if you try and rely on it, you've got the temperature test and you've got to be done under the supervision of a health professional, so you can't just stand at the Turnstile. If your office and you gotta have a doctor do that effectively or it's going to be under the supervision of a doctor, but yes, the other one of course. I think the one that's going to the lawful basis. That may well apply.
We are talking about, people who aren't employees, is consent Because, I mean, I think it's quite quite well known that you can't rely on consent from an employee because of the imbalance in the employment relationship. So a consent given by an employee, is it really regarded as not having been freely given, and therefore, not valid.
But if, you're talking about just normal visitors to your, premises know, Someone coming into a shop, then, consent could, well be a valid basis. And probably the one to rely on, of course, it has to be freely given it has to be unambiguous. It has to be specific. They have to know exactly what they're consenting to, so it's not always easy. And they can always withdraw their consent at any time.
But that is one worth thinking about, as well for non, particularly for non employees. Suddenly, in the employment context, you would need to consent before you undertook a test in any event, from the employment side, because if you didn't, there would be an argument that the employee would have. You're committed to repudiate tree breach so the employee could, could resign and crane constructive dismissal. I think in practice, the, the reality is, it's a bit of a balancing exercise between your overarching health and safety duties tool to workforce as a whole and the potential breaches of employment law at an individual level. And I think there's an element of pragmatism that's needed in this exercise.
Yeah, I just mentioned going back to the question, you know, in order to rely on one of the grounds, what are the lawful basis?
What you're doing has to be necessary.
That doesn't mean absolutely essential. The ICO has made it clear. It doesn't mean absolutely essential in order to comply with the legal obligation. But it has to be a sort of targeted and proportionate way of achieving that objective.
You can't. You can't say it's necessary because it's useful or standard practice or it's the easiest way of doing it. That is not necessary. So that is what your ... is trying to get. That you're trying to sort of ask all these questions of yourself. Is it really necessary? Is there a better way I could do it? Is there a different way I could or should be doing it? For example, should we just be saying, well, it's too difficult to get people back into the office? They should work from home?
Or we only need to test the temperature's off, know, people who are going to be in close proximity, you know, the executive, the C suite of all got their own offices. Maybe we don't need to test them in the United States. All these kinds of things.
You need to to drill down into DPLA to show that what we're doing is necessary and proportionate.
Yeah, There's a couple of questions that have come in as you've just been answering that which I think is NSS, in essence, go to that DPI point. I'll just do with both of them together. If I make the first one, is, can the test take place in the reception in front of others where the results are shown on the screen or does it need to be private?
And the second one, is, if the office has a non contact infrared thermometer, which is for use, if staff members want to check their own temperatures for their own reasons, I think if, well, taken that second question first.
Clearly, if a, If a, an employee volunteers wants to take a test, let's take their intent there in temperature. Then.
I think that's, that's, that must be pretty clear.
I mean, that still leaves the question of what you do with the results of that test, if they took, it, turns out that there they have got a high temperature, You know, that you still have to worry about how you deal with that, that data, the result data, and then the.
The other question? I think it's a very good question.
I think you shouldn't really show the results of a person's tests publicly.
Just as, just like, if it turns out that someone is someone one of your employees has got an elevated temperature, you shouldn't, or should avoid if possible, you know, telling it's telling the other employees, I mean, it might be quite obvious because they don't come into work that day.
But if someone's got an elevated temperature in a particular part of the building, or it works in a particular part of the building, you should probably say, someone has just had to go home because they haven't, because they've got an elevated temperature, But you shouldn't, if you can avoid it, give their name.
You probably need to tell the line manager, for example, but you should minimize the people who, you know, the identity of the person in. Question, because, of course, The elevated temperature doesn't necessarily mean that got covered It could be for other reasons. So the.
So it and one of the day, the data protection principles is that you must ensure that data is accurate. So if you tell someone to know if you think someone's got covered, but you haven't, they haven't been tested. Then you may well have been using inaccurate data being breached and TPL that way.
That leads to quite a good point.
Actually, in terms of what happens when, when somebody has a reading, which suggests the high temperature on the employment side, we want to send them home as an employer. We wouldn't want them in the workplace.
Obviously, at that stage, you don't know whether they've actually got Covina, Whether they just have a race temperature for some other reason.
That leads on to the question of what happens in terms of pay?
There is an argument that, because the government guidance suggests that high temperature is the reason to not go to work to self isolate, that that in itself amounts to sickness absence. I'm not sure that that necessarily it's the case. I think initially, you probably would be sensible to treat it as a sick pay.
The problem comes when the sick pay and contractual pay differ in rate, because you're unlikely to have employees who aren't going to want to admit to having symptoms or temperatures or whatever, whether you're taking the temperature or not, if it's going to result in a adverse impact on their pay.
So, I think that's where things like homeworking come into their own, but that if you could possibly get an employee to work at home, if they feel well, but they simply have a raise temperature, that's a far better way of getting around the problem.
Then, starting to get into the issues over, over, what, pay should, should be given, but from, from the GDPR side, presumably an individual can refuse to be tested, No, legal obligation, if this testing going on, from the GDPR side, that they have to be tested that, right.
It's, it's, it's, it's voluntary, amir's, more employment law question. that the GDPR question that?
Yeah, so, you know, you can't use data protection for someone two, to take a test.
now, I think, the question of whether you can, for somebody to take a test and employment. It very much depends on, on the terms of your contract.
There, may be some implied terms, but, but if somebody's willing to turn up to work, but simply not willing to have a test undertaken, I don't think you could.
You could object, if they refused, you might have to send them home, but you'd have certainly have to pay them full pay during that period.
Yeah, I mean, one thing we haven't, I haven't mentioned, is, I talked briefly about what happens if they have got an elevated temperature, you know, who can you tell?
And related to that question, I guess, is, you know, well, what, what are you going to do if someone has a, an elevated temperature, you might say that I'll come into work that day. What did they bring in And say, I have had a test and I have got covert. What can you then do?
Um, in terms of sort of contact tracing within the workplace, or within the shop, or wherever wherever you are, you know, can you use CC TV to work out who they were close to in the last few days?
And I just mentioned that because that is one of the things that if you're going to use CCTV or something like that in your workplace, in order to contact Trace, you'll need to make that to spell that out in the privacy notice. And we haven't really talked about privacy notices, but the very important that if someone has that temperature taken that they're fully aware of all the reasons it's being done. What will happen with the data? How long that data will be kept for you know what their rights are in relation to that data? Of course, they've got the right to access it. They've got the right time it deleted. Who will who will the data be shared with? Will it will it go into the held in the cloud in some server?
Have you done your due diligence on, on your, on the cloud?
Have the, have the people who have access to the, to the data within your organization. You know, are they under obligations of confidentiality? All these kinds of things.
Or really, to be spelt out to the employee, when or to the individual, when they have the temperature tested, or, at least, to me, that information made easily accessible.
Yes. Yeah, I'm conscious of time. We have now reached out 20 minutes, but we still have quite a few questions. So, what I'll do, if people don't mind, is I'll just carry on for a couple of minutes, just to pick up the last couple of questions before we, before we wrap up.
So we've got various questions about, we've got one. Would it be better to ask a supervisor to take the temperature on a rifle check? It's not above a threshold, and if it is send home but not actually record it.
I mean, I think that's something you And I discussed the other day came and I think the difficulty there is, if that was not an employee, it would be fine to simply say, you don't have permission to come into the building because you don't need to store any data in that regard. But if it's an employee, the problem is, even if you're not recording the data of their temperature per se, the question is, will you have to tell somebody why the employees there?
Therefore, you are, in effect, recording, albeit indirectly that they have a race temperature because that's where you've sent them home, and they're not going to be physically in the office.
So I guess that still counts as, as processing data.
I mean, it clearly, if you don't, if you don't need to record it, you shouldn't record it, but is to you. Because that is that. Is that with a chord with principle of data minimization?
But, still, Pressings, processing the data, and conclusions will be drawn from the data, which might be to the employees detriment, the individual's detriment. And, therefore, you need to have thought through, you know, whether actually detrimental ways taking the temperature in the first place. Yes. Yeah. And similarly, on that, go into another question about, what do you do with people who have permanently elevated temperature? And the example I gave is menopause.
Presumably, that's to do with the accuracy of the data. And that's why, that's why your data protection impact assessment will need to address exactly that kind of question. And, what will you do?
Presumably, you will know, you may say, sorry, can you work from home today and go and get that test?
You know, because the government would want you to, anyway because you've got one of the symptoms and tell us if you will, the result.
And, so, you're not not overreacting to the yellow, to the, to the elevated temperature rating because as, as the questioner says, it could mean something completely different and, clearly. Because, you know, we are reacting in a way, which based on inaccurate data is a breach of the GPL. Yeah.
Thank you! I'm conscious that we, we have now over run a bit up, probably draw things to a close at this point.
There are a few other questions that are similar to ones we've already answered live, so, but we'll come back to people separately on those if there's anything specific that's still relevant.
But I hope everybody has found this useful and relevant and current circumstances.
Obviously, if you do have follow-up questions or queries that you'd like to discuss either with Kim and myself, please just let us know. We'll be happy to help you.
Just as a reminder, we do have our Free helpline, which gives access to senior members of the team to get some initial guidance over 20 minute phone call video call. And the details are up on the screen, now, if anybody wants to book a session.
So, please, do, Please do make advantage of that. And then last but not least, just as we round off, we've got a short poll will be quite useful. If you could just fill in before you log out, just give us a little bit of feedback on, on the value of these, these seminars.
So all that remains for me to say thank you very much for listening, and I look forward to seeing you at another one of these webinars saying Thank you.