COVID-19 Return to the Workplace July Update: UK Employment and Data Protection Law Issues

As the UK government’s “Working Safely” guidance was published on May 11, 2020, employers are now generally familiar with the COVID-19 transmission risks and the main principles of the safety measures expected to be in place prior to a return to work. The guidance goes only so far, though, and many employers are finding that the lack of detail around some of the core principles can present problems from both a health and safety and a data privacy perspective, forcing them to take pragmatic and sometimes creative approaches to the reopening of their office. As the position continues to develop, we have set out below an update on some of the key issues for employers at this stage of the journey.

1. Can we reopen our office?

Many employers have dipped their toes in the water by reopening on a limited, voluntary basis. This is in spite of the current UK government guidance stating that employees should continue to work from home where possible.

However, this limited reopening is unlikely to be considered a breach of the guidance, particularly where (i) the employees returning are those for whom being in the office provides tangible advantages even if it is “possible” to work from home, and (ii) all other aspects of the guidance have been followed and the workplace has been “COVID-19 proofed.”

A mandatory return to the office would likely prove more problematic, and studies show that many employees do not yet feel comfortable about the prospect of restarting workplace life and the daily commute. Staff forced to return may try to leverage legal protections under whistleblowing or health and safety legislation. As a consequence, employers could face liability if a dispute about returning becomes acrimonious and the employee suffers a detriment or is dismissed. As a result, most employers are waiting until the government guidance changes before requiring employees to return to the workplace.

However, it still makes sense to prepare RTW plans and risk assessments now and fully consider the employment and data protection issues.

2. Will the new one meter and social distancing rules from July 4 apply to workplaces?

In alignment with the overall UK guidance on social distancing from July 4, the appropriate social distance for workplaces remains two meters, though, as with the general position, a distance of one meter is permitted “with risk mitigation” where two meters is not viable. The key difference between workplaces and the general rule is that employers have more control over the layout of the office, the number of employees present, and the types of activities carried out and so will in most cases be in a position to ensure that social distancing of two meters is observed.

The guidance goes further, however, and states that, where social distancing guidelines cannot be followed in full in relation to a particular activity, employers should consider whether that activity needs to continue for the business to operate, which in most office environments is unlikely. Where the activity is operationally required, all possible mitigating actions should be taken to reduce the risk of transmission between staff. This includes increased hand washing, time limits on the activity, using screens or barriers to separate people, using back-to-back or side-to-side working (rather than face-to-face), and operating fixed teams or otherwise limiting the number of people each employee interacts with. This suggests that it will not necessarily be inconsistent with the guidance for employers with smaller office spaces to update their risk assessments and office floor plans based on a social distancing protocol of one meter with mitigation.

3. Do we need COVID-19 policies?

Many employers are now developing policies to deal with COVID-19 and updating their existing employee policies and handbooks to address return to the workplace (RTW), infectious diseases, visitors and remote working. Employers are also developing protocols to demonstrate how data protection principles are addressed in the context of their RTW strategy. For example, having determined what data will be collected on employees as part of their RTW strategy, employers should implement processes to ensure that the data is only kept as long as is necessary and in accordance with health and safety and regulatory requirements.

4. What information can we collect from employees?

Collection of personal data should be proportionate and necessary to protect against the risk of COVID-19 within the workplace. So careful thought should be given as to what data should be collected particularly on the health of employees in order to fulfill their legal obligations to protect employees from risks to their health and safety.

5. Are we permitted to implement temperature screening for employees?

Temperature screening, or other health screening, for employees is not required in the UK, though it could be implemented as an additional line of defense to protect employees’ health and safety. This is likely to involve the processing of employee health data, so employers should assess whether such screening is justified in the circumstances. Where temperature or other health information is recorded, the assessment should be documented in the form of a data protection impact assessment. It should be noted that the ability to carry out temperature screening varies considerably across Europe with some countries not permitting it or only when conducted by a company doctor or other medical professional.

If an employer does decide to proceed with temperature screening, there are other issues to consider, such as who will carry out the screening. If it will be carried out by designated employees, their consent is likely to be required from an employment law perspective to perform this role, and they should be provided with training on the screening process, including the operation of the thermometer. It will also be necessary to consider confidentiality, including the location where screening takes place, and how a high temperature or access refusal is communicated to employees in a private manner. Many of these issues can be addressed by appointing a third party to operate the screening process, but this could be costly and requires thought about what will happen with employee data.