Employers as Contact Tracers: the Employment and Privacy Implications of Returning to Work


Of the many new terms that we have learned as part of the current pandemic, 'contact tracing' is one that seems to offer some light at the end of the tunnel.

The plan is that contact tracing will work in parallel with the new NHS app that is being developed and anyone who tests positive for COVID-19 will be referred by the test centre, or their medical carer, to the contact tracing team. The team then leaps into action and calls the person to ask them who they have been physically close to over the previous week. Everyone on that list will then be contacted and advised to self-isolate for 7 days. They will also be asked to call the team if they exhibit any symptoms, and if they do, their contacts in turn will be tracked and asked to isolate.

This process is even more streamlined if the app is used, as it will log the distance between the user’s phone and others nearby who have also installed the app, although it is thought that at least 60% of the population will need to install the app for it to be effective. Users will be able to choose to let the app inform the NHS of their contacts which then triggers an anonymous alert to other app users with whom they spent time over the previous few days. Those users will get an alert telling them they have been close to someone with the virus and that they are advised to self-isolate. All of this is set to be up and running by mid-May.


The problem, however, is that despite the Government making the announcement about putting 18,000 contact tracers in place (3,000 of which will be health professionals) on 24 April 2020, they are yet to be recruited, let alone trained. The existing base of contract tracers stands at 350, after many of these types of public health roles were victims of austerity. Add to this that many experts are saying that 18,000 is a drop in the ocean and we will need many more in order to make this process work. When questioned on the Today programme on 1 May 2020, Robert Jenrick, Local Communities Secretary, was unable to provide any information on when this might begin, although recent reports suggest it might be outsourced to a private sector supplier such as Serco. Not that we want to be cynical about the Government's ability to pull this out of the bag, but recruiting and training 18,000 contact tracers in a matter of days, seems something of a big ask to us.

The Government do appear to have increased the amount of testing that can now take place, which means that employees who may be returning to work or may have been there all along, can finally start to access tests, if they are unwell and some, at least, will start to test positive.

The problem with the contact tracers not being in place is that employers are going to have the burden of dealing with these employees and will have to work out how to protect their other employees, whilst being mindful of the employment and privacy rights of the employees who have tested positive.

You can strongly encourage your employees to tell you if they have tested positive. You can make this clear in policies and workplace announcements, but can you sanction them if they do not tell you and you later find out? This is a difficult question and will depend on all the circumstances, but in general, it seems unlikely that not informing your employer of your personal health issues, would be viewed as misconduct by a tribunal.

If your employee does tell you that they have tested positive, then you have to consider the privacy implications for the business of effectively stepping into the shoes of the contact tracers and contacting everyone who has been in contact with that employee at work and requiring them to self-isolate. It may be possible that you can keep the identity of the employee anonymous, but chances are that this will not be possible in reality.

Health information like this falls into special categories of personal data which means that you are subject to additional duties in relation to it. You can process special categories of personal data in relation to your employees if you have their explicit consent, but consent in the employment relationship has historically been held to be invalid, due to the imbalance of bargaining power between employees and their employers. It is yet to be seen whether an exception may be made in a COVID-19 world. If that consent is not obtained or not valid, then employers will need to look to other lawful means for processing.

In the UK, processing of the special categories of personal data is authorised for employment purposes, if it meets certain conditions:

  • The processing must be necessary for the purposes of performing or exercising obligations or rights which are imposed, or conferred by law, on the employer or employee in connection with employment;
  • When the processing is carried out, the employer must have an appropriate policy in place; and
  • Certain additional safeguards set are observed.

An employer has an obligation to protect the health and safety of all its employees, and so processing data about the COVID-19 status of its employees, in order to protect them, should fall into this category provided it is handled properly.

In terms of policies required, this may be covered in your current Data Protection Policy or Privacy Statement but now might be the time to give that an update. You need to ensure that it details your procedures for processing such data, what it will be used for and how long you will retain it.

The additional safeguards that you have to observe are that you must retain the appropriate policy document, review and update it from time to time, if needed, and make it accessible on request to the Information Commissioner's Office, without charge.

We also recommend that you conduct a data protection impact assessment (DPIA) to identify risks to the rights and freedoms of your employees and to ensure you comply with your obligations in relation to privacy. The DPIA will ensure you are considering the data protection principles by only collecting what data is strictly necessary; deleting the data when it is no longer required; informing your employees of the use of the data; and ensuring adequate security controls are applied to the data.

It would also be sensible, at this relatively early stage, to develop and provide to your employees a COVID-19 policy that addresses COVID-19 in the workplace, which strongly encourages people to inform the company if they have tested positive, and contains a clear structure for doing this, with as much confidentiality reassurance as possible. It should explain what will happen with the information once provided and should cross-refer to the Data Protection Policy. It will also need to include details of what is expected from employees in terms of maintaining confidentiality, if someone identifiable has tested positive and they become aware of this (officially or unofficially). In this case, you could potentially impose a disciplinary sanction on an employee for not maintaining confidentiality on this information. The Policy should also cover victimisation and, again, include potential disciplinary sanctions for anyone who subjects a fellow employee to a detriment as a result of their COVID-19 status.

This is a complicated area and one with employment and privacy implications that employers should not have to deal with, but until Public Health England are fully resourced, employers have no choice but to stand in the shoes of the contact tracers, to keep their workplace safe and well.