Skip to content
Menu

Home FAQs If an employee has had a coronavirus test, can we require them to disclose evidence of their test results?

If an employee has had a coronavirus test, can we require them to disclose evidence of their test results?

Obtaining an employee’s Covid-19 test result will amount to processing personal data for the purposes of the General Data Protection Regulation 2016/679 (GDPR) and information about an employee’s health is a special category of data (sensitive personal data under the Data Processing Act 2018 (DPA)).

In accordance with the GDPR and DPA, there must be lawful grounds for processing such information. Most employers rely on employees’ consent to obtain medical information and process sensitive personal data and if the employee is unwilling to give consent, you will not normally be entitled to the information.

Special category data can be processed lawfully if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Employers may be able to require an employee to disclose their Covid-19 test if there is a substantial public interest, such as ensuring that the employee self-isolate if they have a positive test. However, there is a risk that this measure could be considered disproportionate particularly if it is enforced on all employees as a blanket measure.

Related FAQs

How do I ensure my use of video conferencing calls complies with GDPR?

With the loss of face-to-face meetings in the current situation, video conferencing has taken centre stage. But how do you do that in a compliant way? Here are some of the main high-level data protection issues to consider when selecting and implementing a new third party provider’s video conferencing system.

  1. Make sure you do your due diligence on the security measures offered by the provider. Clearly you can’t visit them, so look at the information offered publicly by the provider and read good quality, reliable, third party sources and ask the provider questions directly. Also ask any other organisations you know that use the provider. Document all this.
  2. If personal information is being sent outside of the UK/European Economic Area, make sure that transfer complies with GDPR. If it’s a US provider, is it registered in the EU-US Privacy Shield list or does it offer a model clause contract (you’re likely to need the 2010 version)? Or is the service provided from a country whose data protection laws offer equivalent protection to those in Europe? Look at the support service as well as the hosting. Document this.
  3. Make sure you put a compliant processor agreement in place. The provider should offer one as part of the contract terms. Check it meets GDPR requirements.
  4. You’re likely to need to update your privacy notice, particularly if you’re going to record calls. Provide participants with a short message and link to the privacy notice in the meeting invite and on any registration page.
  5. Create or update other GDPR-mandated documentation – for example, depending on your use, you may need a legitimate interests assessment and to update your record of processing.
  6. Finally, configure and use the system in a secure and compliant way. Look at the settings/options carefully and think through the security and compliance implications of each. That could include deciding who in the meeting can share their screen; whether or not you use passwords for participants; whether or not to record, and if you’re going to record, where to store the recording. Document your decisions and the reasons for them.

The ICO has said it understands that resources, whether they are finances or people, might be diverted away from usual compliance work during the pandemic. However the last thing you need at the moment is to create a bigger problem than the one you are trying to solve. So do the best you can, ask for help from one of our specialists if you need it, and keep the whole thing under review.

On 16 April 2020, Ian Hulme, the ICO’s Director of Assurance, posted a blog for business owners, employers and managers about how to safely roll out the latest video conferencing technology.

On 21 April 2020, the NCSC published security guidance for organisations on choosing, configuring and deploying video conferencing services.

Last updated on 9th April, 2020

I am dealing with an estate where the bank has sent me an indemnity to obtain the funds. Will the bank accept my signature without it being witnessed by my solicitor?

If you have obtained a Grant of Probate or Grant of Letters of Administration there should be no need to complete an indemnity, merely an account closure form. If however you have not yet obtained a Grant but the bank is willing to release funds then they will generally require an indemnity to be executed. Several banks and building societies including Barclays, Lloyds, HSBC and Santander have signed up to the British Banking Association’s voluntary Bereavement Principles, one of which is to support the bereaved according to their personal needs and work with you to resolve everything as quickly as possible.

If the indemnity requires a solicitor to act as a witness, you should contact the bank to see what they are willing to do to get around the problem, given the current situation.

Last updated on 1st April, 2020

What other factors may be considered?
  • Integration:
    • Is the individual held out as being employed by the business by having a company email address, uniform, how would they introduce themselves to customers?
  • Exclusivity:
    • Is the contractor restricted from working for other organisations without the consent of the end user client?
  • Length of engagement:
    • Is the contractor engaged to work on a specific project for a defined period? Or are they engaged for an indefinite period with no reference to a specific task or project?
  • Pay:
    • Are there regular fixed payments or is payment on completion of specific task or commission based? Is the contractor entitled to benefits or bonuses?
  • Facilities:
    • Does the contractor provide their own equipment and materials to provide the services?
  • Financial risk:
    • Is the contractor personally responsible for any loss arising from their work in performing the services? Will they have to rectify unsatisfactory work at their own time and expense? Will they have the opportunity to profit from the success of a project?

Last updated on 4th February, 2021

How is an establishment defined?

The definition of a relevant establishment is a question of fact for an Employment Tribunal. Guidance from case law says that ‘establishment’ should be interpreted very broadly (so as to avoid employers escaping the need to collectively consult), and may consist of:

  • A distinct entity
  • With a certain degree of permanence and stability
  • Which is assigned to perform one or more tasks
  • Which has a workforce, technical means and a certain organisational structure to allow it to do so

However, there is no need for it to have the following:

  • Legal, economic, financial, administrative or technological autonomy
  • A management which can independently effect collective redundancies
  • Geographical separation from the other units and facilities of the undertaking

Last updated on 7th May, 2020

What impact does the Regulations have in respect of matters which arise from Fire Safety Audits - e.g. if balconies with wooden/decking elements are now considered higher risk and whether that would fall to developer to remedy the materials used to construct balconies?
The duty would fall on the owner of the building to control the hazards presented by balconies made from combustible materials. There may be scope (via warranties/indemnities or other terms) arising from the contract between the developer and owner for the owner to seek to recover the cost of remedial works.

Last updated on 13th October, 2022