Thermal screening and temperature checks have taken over my email inbox and LinkedIn feed for the past few weeks. Every equipment provider and even manned guarding companies seem to have the ‘solution’ to your COVID-19 problem. What I don’t see a lot of talk about is the privacy impact of these so called solutions or even the legality of them.
Suppliers will supply and install them but will they tell of the risks involved with collecting, processing and storing the information produced, or about your employees rights. Some are even suggesting going further and having manned security companies with their suddenly developed ‘bespoke’ systems (which funnily enough all look the same apart from the logo on them) collect the data for you. So, a third party is going to collect all of your employees data?
I’m not suggesting that temperature screening shouldn’t be done. In some cases it will be necessary. I am saying that if you are supplying a service it should the service your client needs not the one you have to sell. It certainly should not be a solution that will cause increased risk to the client later. That’s what I want to talk about here.
As a policy, temperature screening seems like a reasonable step for some workplaces as the economy opens back up again. I’ve already produced a video on the systems and procedures that should go along with this policy for security providers.
While it may represent a reasonable control measure to reduce COVID-19 spread in some workplaces it also involves the collection and processing of a significant amount of employee data. Some of that data is sensitive.
It is also a new data processing project (i.e. you haven’t always had it in your workplace) and so it requires a data privacy impact assessment (DPIA) to be undertaken. Failure to do this could leave the employer open to a Data Protection Commission investigation or worse still a data breach leading to a loss of employees sensitive health data.
Temperature is health data
Taking a temperature is gathering data about the health of a person. Health data is regarded as sensitive personal data under GDPR. There are additional safeguards and restrictions in place when it comes to the collection of sensitive personal data. There are strict limitations on why and how you can gather this data. There is an allowance for sensitive personal data to be gathered for public health reasons but this is generally cross border health related issues and not related to employment. The legal reasons allowed for gathering this data are actually quite restrictive.
To process sensitive personal data legally you have a few options:
- By consent
- Public interest clause
- Vital interest of a natural person
Consent is the first and easiest option. Getting consent shouldn't be too difficult if an employer is open and transparent with employees about the temperature screening as a single control measure in a full risk management system designed for their protection. All of the usual data protection associated tasks still exist such as telling the employee clearly why you are gathering the data, what you will use it (and wont use it) for, where it will be stored, who will have access etc.
The consent should be obtained in writing from the employee. This doesn't just apply to temperature screening though. It applies to asking employees to fill out health questionnaires prior to returning to work as well. The other two reasons may also be used to gather the data in more extreme circumstances. They can only be used in the event that other lawful reasons cannot be obtained and much higher protection measures would have to be applied to the data once it is gathered.
Data Privacy Impact Assessment
The section above covers the lawful gathering of health data. That is only one area of data protection law. There are several other areas of the legislation to consider before implementing any data gathering solution. This is where a data privacy impact assessment comes into the equation.
A DPIA is basically a review of the impact that your new process has on the privacy of the data subjects. It details that you have identified all of the potential risks, evaluated them and put in place suitable control measures to reasonably protect the data and the rights data subject. The remaining risk after the control measures has still to be justified as being balanced against other risks (such as public safety).
Compiling a DPIA is a legal requirement for any new data processing measure. Even though the Data Protection Commission doesn't require every company to send them in for approval, the document will be required if a complaint is made or a breach occurs. The level I’m seeing now of providers offering technical solutions with no DPIA and by the looks of things no idea how to do one is worrying. Developing a DPIA for a processing activity such as temperature screening can be complex depending on the system used and could cause a substantial legal issue in the future
- There are a number of potential risks as I see it with some of the systems I see being promoted at the moment:
- Manned guarding companies offering a system that they have built and will operate for their clients. Firstly, manned guarding companies generally have no idea about security system specification or commissioning. Secondly they are gathering and storing information on a clients employees on behalf of that client, This should be a huge area of concern for any client.
- These all singing and all dancing solutions are being sold as a complete problem solver. They are not and never will be. My fear is that the perceived safety of the screening makes employees and employers complacent about other measures such as hand hygiene and social distancing. My approach with clients is to assume that everybody is infected at all times. Regardless of what the temperature screen, health survey or any other measure tells you.
- Any of these systems that are claiming to be 100% accurate. Need I say more?
- Some systems are trying to take the friction points out of access control. They are creating systems which include a temperature reading, combined with facial recognition and reading an employees card to provide access to an area. Seems great but this is a huge amount of data to be gathering and processing and I struggle to see how it could be justified to gather all of this in one place.
- A single data breach in any one of these systems will lead to widespread non compliance among employees.
I am not saying don't use these systems. Im saying if you are going to use them then you need to recognise them for what they are. They are a single control measure of moderate effectiveness which carry a lot of risk. They should be used as part of an overall risk management approach to COVID-19 and not sold as ‘the solution’.
Like I said above, if you are considering as a business investing in one then ask the right questions and get the right documentation. Buy the system you need not the one the supplier wants to sell you. If you are a supplier then be part of the solution not the problem. Lastly if you are an employee know your rights and your responsibilities.
Note from Tony
If there are any buyers, suppliers, security contractors or employees out there who would like a chat about the risk management protocols for return to work or a data privacy impact assessment please feel free to give me a call or an email. Always happy to chat.
Tel: 085 2821737 | Email: firstname.lastname@example.org