Thermal scanning employees for Covid and GDPR - How to avoid a higher level GDPR breach
Many European data protection authorities have issued cautious guidance as to the use of thermal scanning in reference to GDPR as most companies will simply rely on existing staff to respond to alerts so the likelihood of discrimination based on assumed readings is high – a direct infringement on the rights and freedoms of the individual.
In the UK, the Information Commissioners’ Office (ICO) has published specific guidance warning organisations looking to deploy such technology must give specific thought to the purpose and context of these checks and make a determined case for using them.
They have stated a data protection impact assessment (DPIA) must be undertaken to achieve this and to justify the lawful basis you rely on (at least one is required).
We recommend professional assistance is sought for this work, as your ability to operate thermal imaging and remaining GDPR compliant will depend on the quality of this risk assessment.
If risks cannot be mitigated by the DPIA, then you may have to contact the ICO directly to seek their guidance on the matter. A DPIA completed by our privacy experts will be sufficiently detailed allowing you to contact the ICO with confidence.
As commercial buildings re-open after lockdown due to the Coronavirus pandemic, business owners are looking for ways to reduce the risk and begin thermal scanning for employees, customers and visitors. The use of biometric screening at airports and biometric screening on the transport network or in entrances to offices work on the basis that they detect individuals who have a high temperature or fever - a key symptom of Covid - allowing them to be stopped and potentially denied access.
While thermal screening for Coronavirus is a good idea in principle, many business owners are unaware of the GDPR implications – and there are many! All of which could land you with an ICO investigation and an upper tier fine for unlawful processing of special category (health related) data.
Here, we explain how installing thermal scanning for Coronavirus could lead to a major GDPR breach due to the special category data involved – and how our data protection experts can help you solve these problems by conducting the necessary data privacy impact assessments (DPIA’s) to allow the use of thermal screening technology. If the ICO do get involved, you will at least be able to demonstrate you have considered the risks of processing and addressed these wherever possible – a key part of the accountability principle of the GDPR.
Thermal scanning technology – in whatever form, whether handheld or added to an existing system – scans people as they walk towards it, taking the temperature of that individual. If the person is believed to have a high temperature – possibly a fever, then the system triggers an alert for staff to speak to them and decide if they should enter.
There is a common misconception that thermal scanning equipment is unaffected by GDPR as the names of people are not collected or stored by the device – however personal data goes beyond this. By default, as soon as the equipment scans and gives a reading of someone’s body temperature, you are collecting data relating to their health – classed as special category data as the person who has been scanned can be identified by others in the vicinity.
Under the GDPR, special category data requires even stricter processing controls, as a breach could cause serious embarrassment to the data subject. The processing of special category data even has its own section under the GDPR – Article 9 – and breaches of this are taken extremely seriously by the Information Commissioners Office. In fact, the first GDPR fine in the UK (£275,000) involved improper storage of special category data – it is classed as a higher tier data breach.
It is worth noting that under Article 9 of the GDPR, unless there are extreme circumstances, explicit consent is required from individuals to process special category data – which includes health data. If not practical to gain explicit consent, then in your role as the data controller, you must build a case to demonstrate that explicit consent is not required. To build this case, you must complete a data privacy impact assessment (DPIA) – something our privacy team have plenty of experience of conducting for many clients and are able to help with.
Contact us today and we can begin working immediately to ensure your system is legal before the building opens and you begin thermal screening for coronavirus.
Use of thermal scanning for employees
Many things need to be considered before this equipment is installed.
What due diligence has been conducted on the provider of the equipment? Do they have access to scan results?
If the temperature screening is conducted in a public area, how will you reveal the result of every scan? Displaying it on the screen of the device may be classed as a serious data breach at the first stage as temperature checks are classed as health data – special category data.
If the equipment is being used and an alert is triggered, how are you going to approach that individual and decide if they should enter the building? Think of the potential embarrassment by being approached in a public space.
If an alert is triggered by a woman on the menopause having a hot flush, how will you approach the her, without causing her extreme embarrassment?
If someone is hot from rushing around, are you going to make them take a second reading once they have cooled down?
If someone refuses to be scanned, what will your policy be?
Will the person who approaches the individual be medically trained, or a member of staff assigned the task of manning the scanner? If they are not medically trained, you may be wrongly identifying individuals as potentially suffering from Coronavirus, and discriminating against them – a breach of their human rights and yet another breach of the GDPR as that individual has been accused or singled out based on an inaccurate reading of health data.
If the system includes facial recognition software, this is a further consideration as it means individuals who have a higher body temperature will automatically be identified as they walk past the device.
Facial recognition software is already a controversial method of surveillance – we have a separate page that discusses how our Privacy Team can help you tackle this challenge, either as part of this project, or another.
What will it cost?
If you engage with us to help implement a system for thermal scanning employees that is GDPR compliant, our pricing structure is simple, straightforward and highly competitive – there are no “day rates”, you only pay for the time we work!
We charge a flat rate of £125 per hour (plus VAT), per consultant, irrespective of the task, or engagement. This is highly competitive compared to other London GDPR consultancy services – why pay more for GDPR compliance, if you still have access to the experts?
When on site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £1,250 + VAT.
Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!
New Clients
If you are a new client, we require 50% of the engagement invoice to be paid at the time of booking, with the remainder (plus any expenses) due within 48 hours of the completed project being delivered.
We hope this gives clients the confidence of engaging with us – proving that we’re committed to providing you with a first-class professional service data protection service and one that you will be confident to tell your business network about.
Existing Clients
We believe in making it easy for our clients to work with us long-term, without needing to sign off each project – this can be a strain on administration and internal resources.
By signing off a batch of days or hours, these can be drawn upon by the team when required. At the end of each month, we raise an invoice based on the tasks worked on, using your main PO as a reference.
As you should now realise, there are many considerations that must be addressed before you install or begin using temperature scanning in the workplace – all of which are essential to remain GDPR complaint. Failure to address these simply mean you have not formally identified a lawful basis of processing and, in your role as data controller, you are infringing the rights and freedoms of your employees and visitors and breaking the law.
Contact our Privacy Team today and we will ensure these considerations are addressed and you can demonstrate the completion of a data privacy impact assessment (DPIA) and that you have identified, understood and mitigated the risks of such processing – therefore making it lawful.
Why choose us?
Click here to find out why we are the UK’s #1 privacy consultancy.
How much will this cost?
Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages
What next?
Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.
Other services you may be interested in from PRIVACYHELPER
DPO services
We offer DPO packages to suit your business needs – from a basic advisory service for smaller businesses to integrating ourselves within the operation of larger businesses.
GDPR Consultancy
Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.
Training
An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.