Employee Privacy Notice – COVID-19 Workplace Testing

In this Privacy Notice, we describe how your Personal Data will be collected, used and shared in connection with our efforts to carry out testing for viral material of SARS-CoV-2 and SARS-CoV-2 antibodies in the workplace in the context of the COVID-19 pandemic (our “COVID-19 Workplace Testing”). For clarity, in this Privacy Notice, “SARS-CoV-2” refers to the virus that causes the COVID-19 disease.

Who is responsible for the handling of my Personal Data?  

Employer is the Controller (for the purposes of the General Data Protection Regulation (“GDPR”)) of your Personal Data.

Testing For All will act as the intermediary between yourself, Employer and the laboratories which will perform the testing for viral material of SARS-CoV-2 or antibodies against SARS-CoV-2. Testing For All will also provide you with access to a platform where you can see the results of your tests. Testing For All is the Controller of some of your Personal Data, insofar as it relates to: (i) the delivery of the COVID-19 Workplace Testing services, (ii) the management of their relationship with us, and (iii) the development of Testing For All’s products and services (for example, conducting market research and data analysis). Testing For All is a company limited by guarantee registered in England and Wales under company number 12570433 with its registered address at 13 Hawley Crescent, London, England, NW1 8NP. Please see the Testing For All Privacy Policy here for further details about how and why they will process your Personal Data.

What types of Personal Data will be collected and processed in connection with our COVID-19 Workplace Testing?

Employer will collect and process Personal Data about you, which may include:

  • Your full name, date of birth, sex, full home address;
  • Email address and mobile phone number;
  • First 4 digits of place of work postcode, job role;
  • Your history of symptoms associated with the virus SARS-CoV-2 and related COVID-19 disease;
  • Whether you tested positive for SARS-CoV-2 and/or COVID-19 and if so, where and when;
  • Sample (i.e. any fluid, such as blood);
  • Sample ID; and
  • Test result.

For what purposes will Employer process my Personal Data and on what legal basis?

Employer will process your Personal Data for the following purposes:

  • to enable you to get tested for antibodies against SARS-CoV-2 by using Testing For All as an intermediary between you and the laboratories performing the testing (see below);
  • to refer you to the Testing For All platform (see below) which will be used to enable you to see your test results; and
  • to comply with any legal requirements.

We rely on the following legal bases for our collection and processing of your Personal Data:

  • the processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c) GDPR);
  • the processing is necessary to protect your vital interests and those or our employees (Article 6(1)(d)); and
  • the processing is necessary for our legitimate interest in ensuring the health, safety and wellbeing of our employees (Article 6(1)(f) GDPR).

Where the Personal Data we process is special category data, the additional basis for processing that we rely on is that this is necessary in carrying out our health and safety obligations and exercising our rights in employment and the safeguarding of your fundamental rights, in particular to ensure the health, safety and welfare of employees (Article 9(2)(b) GDPR). In addition, we rely on processing condition 1 at Schedule 1 of the Data Protection Act 2018, which relates to the processing of special category data where this necessary to enable us to comply with our legal obligations in the field of employment, including under the following legislation: (i) the Health and Safety at Work Act 1974, and (ii) the Management of Health and Safety at Work Regulations 1999.

With whom does Employer share my Personal Data?

Whenever possible, when your Personal Data is shared with third parties, your identity will be protected in accordance with accepted industry standards and applicable laws. Your Personal Data will not be made publicly available. Employer never sells your Personal Data to third parties.

In order to carry out the COVID-19 Workplace Testing, we share your Personal Data with Testing For All, as further described in the section ‘Who is responsible for the handling of my Personal Data’.

Where will my Personal Data be maintained?

Employer may disclose any additional servers or services where your Personal Data is maintained in your company Data Protection notice.

How will my Personal Data be protected?

Employer takes technical measures that are designed to protect your Personal Data from unauthorized access and use;

  • Where possible your Employer will not export your Personal Data from the Testing For All testing system, which includes protective measures detailed in this Privacy Policy.

What are my rights with regards to my Personal Data?

The GDPR gives you the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erase
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

How long will my Personal Data be retained?

Your Personal Data will not be kept for longer than is necessary, as stated in this Privacy Notice, and will be retained in an anonymized format wherever possible. When your Personal Data will no longer be necessary for the purpose of responding to the COVID-19 pandemic, it will only be retained to the extent that this is required under applicable legislation, and will otherwise be deleted.

How do I submit questions or concerns?

If your concern cannot be resolved, you may submit a complaint to the UK Information Commissioner’s Office.

Updated 24 September 2020