Coronavirus screening records and results, together with other health information, is a ‘special category’ of personal data which requires an additional layer of protection due to its sensitive nature.
Special category personal data may only be processed where there is both a lawful basis for processing personal data under Article 6 GDPR and where there is an additional condition for processing that special category personal data. Those additional conditions for processing special category personal data are set out in Article 9 GDPR and Schedule 1 DPA 2018.
The main lawful bases on which organisations may perform coronavirus testing and process the related special category data will be:
- where the data subject has given their explicit consent (discussed in more detail below); or
- where the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law, such as ensuring the health, safety and welfare of employees.
It is important for employers to determine and document the condition for processing special category data before the processing begins. In many cases it will also be necessary to put in place an ‘appropriate policy document’ in order to meet a Schedule 1 condition for processing under the DPA 2018.