ba Cornerstone
020 7242 4986 or  0333 240 0591 London  |  Birmingham  |  Cardiff
News

Temperature checks – are they lawful under the GDPR?

22.06.2020

By Matt Lewin

As schools, offices, shops, and other commercial premises begin to re-open after the lockdown, it appears that many premises owners are carrying out temperature checks for staff, students and visitors as a condition of entry.

For instance, in April 2020, the BBC reported that Amazon had installed thermal cameras in its warehouses, including in the UK, to screen employees for potential coronavirus symptoms.

However, the UK government's current advice on making workplaces "COVID-secure" does not specifically recommend the use of temperature checks. The World Health Organization (WHO) advises, in the context of international ports of entry, that temperature checking alone may not be very effective as it may miss asymptomatic people or it may yield a false positive.

A person's body temperature is personal data concerning their health and therefore constitutes "special category" personal data under Article 9 of the GDPR. Processing of that data can only be lawfully done in very limited circumstances – and it's far from clear that those organisations carrying out temperature checks of employees, students and visitors to their premises are doing so lawfully.

The Belgian Data Protection Authority (the APD) has recently issued specific guidance on this topic. With the help of a GCSE in French and Google Translate, we can summarise the main points for you:

  • Simply taking a person's temperature, without making any record of that check, does not constitute processing of personal data. This includes the situation where a person is refused entry to the building – provided that no record is retained of that outcome. It follows that this activity is not regulated by the GDPR and therefore there is no data protection rule against it.

  • Sometimes a record will be produced as a result of a temperature check, for instance a member of staff is sent home from work or a child is sent home from school: this will in most cases result in an entry to be made on their personnel/school record to justify their absence and further records may be created as a result of dealing with any sick pay implications. This does constitute processing of special category data and would therefore require both a lawful basis and an additional condition to justify the processing.

  • Especially in a work or school setting, given the imbalance of power between data controller and data subject, it is highly unlikely that a GDPR-compliant consent could be given and therefore (explicit) consent would not be an appropriate lawful basis on which to rely.

  • Automatic temperature screening (the above examples assume that the temperature check is carried out manually), whether or not a record is subsequently produced, always amounts to processing by "automated means".

  • There is currently no appropriate condition in Belgian law to justify this processing activity and therefore new legislation is required to make it lawful.

On this last point, the same would appear to be true in the UK too. Schedule 1 to the Data Protection Act 2018 sets out a number of conditions on which data controllers can rely to justify their processing of special category personal data. However, outside of a health setting, with one possible exception for employment settings, none of those conditions would appear to be applicable to routine temperature checks as a condition of entry to premises.

The APD noted that general occupational health and safety obligations in Belgian law were not sufficiently specific to provide a condition to justify the processing.

In the UK, the equivalent legislation is the Health and Safety at Work Act 1974. Section 2 of that Act sets out a number of "general duties", including the overall duty on an employer "to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all his employees". In principle, that duty would appear to fall within paragraph 1 of Schedule 1 to the Data Protection Act: "the processing is necessary for the purposes of performing ... obligations [...] which are imposed [...] by law ... on the controller [...] in connection with employment."

Note, however, the requirement that the processing must still be "necessary". That might not be the case currently in the UK if temperature checks are not officially recommended under current UK government guidelines. Note also the requirement for an "appropriate policy document" – without which the processing would be unlawful.

What is the overall lesson? Given its limitations in detecting individuals who are truly infected with COVID-19, and the potential compliance obligations that might attach to it, temperature checking might be more trouble than it's worth.