This post is part of a series on contact tracing apps. You can read our introduction to the series and get links to the other entries here.

As workplaces begin to re-open after the COVID-19 lockdown and employers consider a phased return of their workforce, health and safety issues will be paramount. 

In considering how best to keep their workforce safe, employers may be tempted to use the NHSX contact tracing app. (For more details on how this works, see our previous blog.) 

Use of this app, alongside use of broader ‘contact tracing’ measures, may help employers to manage the return of their workforce whilst COVID-19 continues to present risks to the broader population. 

This blog discusses whether employers should consider the use of the NHSX app, and contact tracing more broadly, in order to comply with their legal obligations.  

An employer’s duty of care

An employer has a common law duty of care towards its employees to take reasonable steps to prevent foreseeable harm occurring to them. What will constitute 'reasonable steps' will always be a question of fact and will therefore depend on the particular circumstances at play. 

Employers also owe a statutory duty under health and safety legislation to ensure, as far as reasonably practicable, the health, safety and welfare of every employee, contractor and consultant. Much of the legislation is goal-based, leaving an employer scope as to how to achieve those goals.

Three sets of criteria have emerged to assist with the determination of the concept of 'reasonableness' (which features in both the common law and statutory duties owed by employers):

  1. objectivity – the standard of care required is that of a reasonable company acting in the circumstances;
  2. balancing cost and benefit – the employer must consider the likelihood of harm 'but for' the precaution, plus the severity of that harm balanced against the expense of the precaution; and
  3. common practice and expectations – conformity with broader industry standards, such as the government guidance on making workplaces 'COVID-19 secure' ('the guidance'), is good evidence that the proper standard of care is being taken. The guidance makes no reference to contact tracing apps.

The role of the government guidance

The duty of care owed to staff members will be particularly relevant in the coming months, as we see lockdown restrictions ease and workers return to the workplace. But what role does the guidance play? 

Following the guidance is evidence that an employer is taking the proper standard of care, but it is not conclusive. Importantly, the guidance does not supersede an employer’s legal obligations (which are largely untested in the current circumstances). Such legal obligations are non-delegable – employers cannot comply by simply setting up their workplace in a 'COVID-19-secure' manner.

For example, using floor signage in an office lift lobby to encourage employees to stand two metres apart is a good first step. But an employer is unlikely to persuade a court or tribunal that the signage alone was sufficient if it became clear that employees were not complying with the social distancing rules and nothing was done to resolve that. 

Employers might be expected to go over and above the guidance in order to meet their duty of care, potentially by disciplining the employees who are breaking the social distancing rules in our example.

Should employers use contact tracing apps?

If the guidance is the bare minimum, would employers be expected to use additional measures such as the NHSX app, or contact tracing more broadly, to fully comply with their legal obligations?

The NHSX app (which is currently being tested on the Isle of Wight with a planned launch in the rest of the UK in June) will be voluntary for the UK population. 

We have seen no indication that businesses should require their workforces to use such technology upon re-occupation of their workplaces. In fact, the Information Commissioner's Office (ICO) has recommended that participation in contact tracing apps is voluntary, and media reports state that NHSX has suggested employers will not be allowed to coerce employees into downloading the tracing technology.

Given this, it is unlikely that the NHSX app will become a mandatory tool to be used by UK employers as a matter of employee protection, or that employers’ duties of care will be judged by reference to the use (or not) of these apps.

Nonetheless, if an employer is aware of an employee who has become unwell with symptoms of COVID-19, and that employee had recently attended the workplace, it would be difficult to argue that an employer could satisfy its legal duties without asking that employee who in their workplace they had been in contact with, and providing appropriate warnings to other members of the workforce. 

Taking such action is contact tracing (albeit on a smaller scale and not in app form) and would likely be justified from a data protection perspective because it is necessary under employment law and/or for protection of public health (see more on this in our previous blog).

On this basis, employers might take the view that introducing the NHSX app to staff members is a reasonable and proportionate step and is justified by reference to the risks they are seeking to address. This analysis might be strengthened if large numbers of the workforce choose to use the NHSX app in their personal lives. 

This assessment may vary depending on the type of workplace, the business need for workforce proximity, and whether the employer can implement less intrusive measures. Office-based businesses (the majority of which have operated without significant disruption utilising home working) may therefore have more difficulty in demonstrating the necessity of the NHSX app than a manufacturing plant, for example.

If employers do take this approach, they will be accessing the personal health data of their employees and should be mindful of the relevant data protection laws (for further consideration of an employer’s data protection obligations, see our previous blog).  

What if an employee refuses to provide this information?

Even if an employer reaches the conclusion that contact tracing can be justified, it is likely that an employee who refuses to provide their personal health data to their employer via the NHSX app will be entitled to do so. 

Under the EU general data protection regulation, a data subject (ie the employee) may consent to their data being processed only if that consent is freely given. The ICO’s current guidance is that users of contact tracing technology can opt in and out of participation, so disciplinary action or dismissal on the grounds of refusal might be unlawful.

Even if an employee refuses to consent, employers may be able to rely on two further grounds for processing the employee’s health data via the NHSX app:

  • if it is necessary under employment law; and/or 
  • if it is necessary for public health (see our previous blog for more detail).

If an employee refuses to use the NHSX app, employers may wish to rely on alternative measures, such as asking the employee to confirm that they have not had, nor have they come into close contact with anyone who has had, recent COVID-19 symptoms before allowing them to return to work. 

Although, in this scenario, an employer will not require access to an employee’s NHSX app, asking for such information will still be a request for sensitive personal health data, so the data protection requirements will still apply. 

However, if such alternative measures work, there may be a suggestion that the employer’s purpose can be achieved by some other reasonable (albeit less efficient) means, which may call into question the justification for the use of the NHSX app. This is a tricky balancing exercise and one that employers will need to carefully consider.

A balancing exercise

There is undoubtedly a difficult conflict between an employer’s obligations to protect its workforce, with heightened pressure and scrutiny on planning for the re-occupation of workplaces after the lockdown is lifted, and restrictions on the processing of personal data. 

Clearly, personal health data accessed through the NHSX app would be helpful to an employer which is looking to ensure that its workplace is as safe as possible, but there is no indication that employers will be required to use such technology and the question will therefore be whether the benefits of doing so outweigh the potential legal risks.

Other posts in this series: