Too hot? Or Not? Can you legally take and record the temperature of your workforce to mitigate against Covid-19?18th September 2020
On 1st September 2020 the European Data Protection Supervisor (EDPS) stated regarding body temperature checks that ‘careful assessment and data protection safeguards are necessary’.
Whilst the UK Government’s current advice on making your workplace ‘Covid-19 Secure’ falls short of specifically recommending that you take the temperature of your employees and visitors as they arrive, many organisations, such as the BBC and Amazon, have introduced these measures.
From a GDPR point of view, a person’s body temperature is classed as ‘special category’ personal data because of course, it is concerning their health. This means that processing of this data can legally only be done in very restricted contexts.
So, we need to distinguish between taking the temperature and recording that information. Just taking the temperature is not classed as processing data unless the information is recorded, therefore this would not fall under GDPR regulations.
However, as soon as you record the temperature against the name of an identifiable individual, you have begun to process ‘special category’ data and this is where the GDPR regulations do apply and there are steps which must be followed.
Full guidance can be found on the ICO website here and we would urge you to read it thoroughly and see how it applies to your organisation.
Top ten things to consider if you are deciding whether to temperature check your staff:
- Remember that an individual’s body temperature may be high for many reasons, they may have run to work, have an underlying medical condition, and tests are not 100% accurate so taking temps is a useful indicator but is in no way definitive.
- Is the testing ‘necessary and proportionate’? If not, don’t do it.
- The government has not said that taking temperature is a necessary step.
- An employer can not compel an employee to have a temperature check.
- Do not collect personal data you don’t need.
- If you do decide that temperature checking is necessary, do you need to record the results? Our recommendation is that you do not.
- If you are recording special category data, you must follow all of the guidelines, including having both a lawful basis and a second condition for processing under Article 9.
- If you have CCTV – be very careful that the temperature checking is not caught on camera and recorded by accident, against a person’s image.
- A handful of regulators have already prosecuted organisations for incorrectly implementing temperature checks – Data Processing Impact Assessments are absolutely essential.
- The ICO will ‘. . .will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis’.
If you are unsure as to whether you should do temperature checking or if so, what your legal obligations are, please do get in touch with one of the specialists here at the Griffin House Consultancy – we are here to help.
Book your complimentary call with one of our data protection specialists or contact us:
Call: +44 (0)1673 88 55 33
Email: [email protected]