ICO Back-To-Work Guidelines 

The Information Commissioner’s Office (ICO) has announced its back-to-work guidelines to help those returning to work. The guidelines are aimed at employers who will be able to look into these principles as well as best practices to improve the working conditions under the COVID-19 pandemic situation.

These guidelines are centred around the idea and framework of data protection law. The solutions here address the issues related to the return to the workplace during this confusing time.

General Principles

Legal Basis

  • Testing for Covid-19 symptoms is considered as the processing of personal data and subject to the General Data Protection Regulation (GDPR) and the data protection law
  • Legitimate interests are likely to be the appropriate legal basis for processing for employers
  • Employers must undertake these checks under Article 9 condition for processing (e.g Article 9(2)(b) – employer’s obligations on health and safety)

Data Minimization

  • For special category data, employers must only collect and retain the minimum amount of information needed for the purpose
  • Employers may collect adequate and relevant data that is purpose-limited in nature and in use


  • Employers must be clear and honest with employees regarding the use of the information
  • A clear and accessible privacy policy is required for employees before any health data processing begins

Data Subject Rights

  • Staff should be able to exercise their information rights
  • Rights must not be undermined during the COVID-19 crisis
  • A secure portal or self-service system should be installed

Employee Testing: Possible, But


  • Must be clear regarding what decisions you will make with that information
  • Before carrying out any tests, you should at least let your staff know:
    • What personal data is required?
    • What will it be used for?
    • Who will you share it with?
    • How long do you intend to keep the data?
  • Try to provide employees with the opportunity to discuss the collection of such data if they have any concerns

Data Protection Impact Assessments (DPIA)

Employers should conduct a DPIA for the testing.

This DPIA should set out:

  • The activity being proposed
  • The data protection risks
  • Whether the proposed activity is necessary and proportionate
  • The mitigating actions that can be put in place to counter the risks
  • A plan or confirmation that mitigation has been effective

Data Minimization

  • The result of a test can be seen as a yes or no, negative or positive rather than finding out the additional details about underlying conditions
  • Consider which testing options are available with regard to privacy protection

Temperature Checks/Thermal Cameras: Possible, But

  • Make sure that any monitoring of employees is necessary and proportionate, and in keeping with their reasonable expectations
  • You can use the surveillance camera DPIA template to this end

Maintaining Lists of Employees who Tested Positive: Possible, But

  • Purpose limitation is essential
  • Ensure that data processing is secure and confidential.
  • Ensure that such lists do not result in any unfair or harmful treatment of employees (e.g. from inaccurate data or data which isn’t up to date)

Disclosing an Employee’s Condition: Possible, But

  • Keep staff informed about potential or confirmed COVID-19 cases without naming
  • Do not provide more information than is necessary

Receiving Test Results from an Employee: Possible, But

  • Have due regard to the security of that data
  • Consider any duty of confidentiality owed to those individuals who have provided test results
  • Make sure your use of the data is necessary and relevant
  • Do not collect or share irrelevant or excessive data