Cornwall Partners in Care News

This guidance is for adult social care providers who arrange regular COVID-19 antigen tests for employees and/or agency workers based in residential care homes or domiciliary services, to identify asymptomatic COVID-19 cases. 

COVID-19 test results (positive/negative) convey medical information, categorised as ‘Special Category Data’ under GDPR and the Data Protection Act 2018.  Receiving COVID-19 test results and taking action to manage positive cases means that you are processing the test results data.  The Information Commissioner’s Office (ICO) guidance about testing and processing the results is here.  

You need to:

1. Complete a Data Protection Impact Assessment (DPIA) before starting the testing – ICO template here.  Keep this on file and update it if your processes change.
2. Make arrangements to keep test kits and test results confidential and secure. This includes how test kits and test results will be securely stored, who will be made aware of test results (a need-to-know basis only, for those managers/HR who will manage the response to a positive test result) and how and when test results will be disposed of.
3. Identify the Article 9 condition for processing. The permitted ground for processing special category data in this situation is for health purposes, under Article 9(2)(b) of the GDPR (processing data where it is necessary to carry out obligations and exercise specific rights of the employer or employee in the field of employment, and part 1 of Schedule 1 to the DPA 2018).  You may also be able to use the ‘public health’ condition (because positive results will be passed to public health contact tracing teams).
4. Identify a lawful basis for processing:

If regular COVID-19 testing will be mandatory for your staff, the lawful basis will be ‘legitimate interest’ (protecting your staff and service users from COVID-19 infection).   For this you need to:

• Complete a Legitimate Interest Assessment (LIA) to show that the processing is necessary, and that you have balanced it against the individual’s interests, rights and freedoms. ICO guidance on doing this is here, or you could take specialist data protection advice.  Keep the LIA on file and update it if your processes change.         
• Compile a form for the employee to complete, sign and return to you before testing:
• confirming their understanding of how their data will be processed
• confirming their willingness to participate in testing (e.g. for 6 months, to avoid having to do a new form for every test)
  • Keep the completed forms on file. Get new forms from your staff if you need to carry on testing after the e.g. 6 month scope of the form.

If participation in regular COVID-19 testing will be voluntary for your staff, the lawful basis for processing the data could be ‘legitimate interest’ or ‘consent’. 

• If you use ‘legitimate interest’ – follow the steps in the point above.
• If you use ‘consent’, you must provide staff with a consent form to complete and return to you before the testing. 
  • confirming their employee’s willingness to do the test
  • confirming their understanding of how their data will be processed
  • providing ‘consent’ under GDPR as the lawful basis for processing their data (e.g. for 6 months)

Employees must be given a free choice about whether to complete the form and do the test, and can withdraw their consent at any time.

Swift HR is based in Newquay and offers specialist HR advice and support for Adult Social Care Providers in Cornwall.  Registering your business with us is FREE, and once registered you can contact us for HR support whenever you need to.  Full details of our services are on our website.  We offer affordable pay-as-you-go rates for one off pieces of work, or if you need a few hours of support each month we can offer a retained HR service at a discounted rate.  There are no long contracts (you can end or change your level of support with a month’s notice), so that you only pay for the HR support you need, and within your budget.  For your FREE registration with Swift HR, call Natalie Swift on 07918 015846 or email natalie@swifthr.co.uk. 

Pulse Cyber are GDPR Compliance Specialists for Health & Social Care and may be able to offer more specialist guidance and advice for specific situations.