Traditionally very few employers have tested their staff for illnesses and other physical conditions.  The exceptions would be forklift truck drivers, airline pilots and operators of machinery in the workplace who are tested for alcohol and other drugs as a Health & Safety measure although quite often on an exceptions basis rather than routinely.  In general, employers dispatch ailing employees to Occupational Health centres and wait for a report which only provides an indication on fitness to work.

So, health testing employees at work is outside of normal business parameters.  But COVID 19 is changing what we regard as normal.  An employer is now likely to want to test employees for symptoms of the virus to protect other workers and employees are likely to want those tests to safeguard themselves against infection.

In data protection terms, health data is special category data under the UK GDPR.  This means that the risk presented by holding this personal, sensitive data is higher than normal so there should be particular attention to its security, who has access to it and how long it is kept.

There are also additional requirements around establishing lawful grounds for processing special category data.  The relevant grounds are set out in Article 9:

  • Employment, social security and social protection grounds to protect employee health (b)
  • The wider Public health grounds (i) but only if there is a health professional involved in the testing and
  • Reasons for substantial public interest (g).

The condition Health or social care purposes (h) in my view would not cover blanket testing of employees.

Where the appropriate condition is Employment to protect employee health there is a requirement for an Appropriate Policy Document, a written policy on the use of special category data (required under Schedule 1 of the Data Protection Act 2018).

What must the Policy Document specify?

The Policy Document must include details of the processing in each case:

  • who the data subjects are,
  • What personal data is being processed,
  • the purposes of the processing
  • the grounds for lawful processing relied upon


  • Procedures for securing compliance with the Data Protection Principles.  Cross reference existing procedures rather than copying them all in seems a simpler solution.
  • Procedures for reviewing requests for erasure of personal data as required by GDPR (again a cross reference will work best)
  • Details of how long the data will be retained.
  • A statement of how long the policy itself will be retained which must be at least six months after it is superseded.

Next steps

So, what steps should employers take if they want to introduce workplace testing for COVID 19 symptoms?

First step would be to carry out a DPIA data protection risk assessment to identify all the data protection issues and recommended solutions.  There are data protection considerations around the following:

  • informing employees about the testing
  • whether the testing is optional (ie with consent) or mandatory
  • who is carrying out the tests
  • how test results are recorded
  • how long the test results will be retained
  • who will have access to the test results
  • how the test results will be secured
  • counselling and next steps for those who test positive
  • how colleagues are informed that one of their team has tested positive and the safeguarding of the infected person’s personal data.

If you would like assistance carrying out the DPIA data protection risk assessment or finding appropriate policy documents on Monitoring at Work, we can help.  We offer tailored support services on retainer and a do-it-yourself option with our DP-Smart Toolkit reference manual including template policies, procedures, contract wording and more.  Contact us to find out more.  Link:

Mandy P Webster, Data Protection Consultant