Regulatory, employment and data protection considerations for businesses considering Covid-19 testing for employees

As the current Covid-19 crises progresses and countries across Europe start to move towards relaxing lockdown restrictions, businesses will increasingly need to think about how to approach the return to the physical workplace whilst keeping their employees safe.

One of the tools that has been talked about as potentially being important to enable businesses to “return to normal” is the so-called rapid antibody test kit. These products purport to offer a quick yes/no answer as to whether an individual has been exposed to the coronavirus and therefore may have a degree of immunity. The validity and the scientific basis of these tests remains highly controversial, but they are starting to see increased validity, with Roche’s test being the first to receive the backing of Public Health England. As these test become more established and widely available some businesses may be considering whether these tests may provide a benefit to businesses and employees as they seek to resume face-to-face operations.

This note explores the key regulatory, data protection and employment considerations that businesses must bear in mind when weighing up whether they might wish to provide rapid antibody test kits to their employees.

Regulatory considerations

First and foremost businesses must ensure that the tests procured and the manner in which they supply these to employees comply with relevant EU and national legislation regarding the regulation of medical devices. Such rapid antibody testing kits will be considered to be in vitro diagnostic devices (IVDDs) for the purposes of EU Regulations.

The framework for the regulation of IVDDs is set out at an EU level and implemented by Member States. Whilst this may mean that the exact offences and sanctions associated with any illegal supply of medical devices may differ between EU Member States, the overriding principles of what will, and will not, be legal when dealing with rapid antibody test kits will be the same across all EU Member States and the UK. This note will primarily focus on the UK position.

It is important to understand that the regulatory environment for IVDDs differs depending on whether a device is marketed or supplied for administration by a medical professional or for use by a lay person “at home”. In particular, devices marketed for at home use must meet more stringent criteria and be pre-certified by a designated authority within the EU to ensure they are suitable for use by consumers. In contrast, manufacturers of devices that are intended to be administered by medical professionals can, provided the relevant criteria are met, self-certify compliance with the relevant standards.


In the UK, the relevant restrictions are set out in the Medical Devices Regulation 2002 (the MDR). This restricts a number of activities, in particular:

  1. the placing on the market, supply or putting into service any IVDD that does not meet the relevant criteria set out in the EU legislation; and
  2. the placing on the market, supplying or putting into service IVDDs that are not CE marked.

The MDR define “putting into service” as making the device available to a final user, which includes either the actual user or a medical professional who will administer the IVDD. Accordingly, where a business provides test kits either to employees or medical professionals for administration they will be considered to be putting a device into service and could fall foul of either (or both) of the above restrictions.

Breaching the MDR amounts to a criminal offence enforceable within the scope of the Consumer Protection Act 1987 with sanctions on conviction including both fines and up to six months imprisonment.

How can tests legally be provided?

To legally provide antibody tests for employees businesses must ensure that the test being provided is both:

  1. Authorised for the intended use (e.g. at home, administered by a medical professional); and
  2. CE marked accordingly.

Manufacturers must also comply with the MDR such that any product offered to a UK or EU business should at least be self-certified for administration by medical professionals and CE marked. Where a manufacturer is unable to meet this standard the manufacturer will commit an offence and similarly a business providing such tests to its employees, regardless of the method of administration, will also commit an offence.

It will be more important to determine the extent to which a test is authorised for the intended means of administration. If the business proposes to offer tests to be administered by a medical professional then the manufacturer’s self-certification would be expected to be sufficient. However, where a business wishes to supply a rapid antibody test for home use the kit must meet a higher regulatory standard and be approved by a competent authority before it can be CE marked. Whilst there are a number of tests authorised for use by medical professionals, as of 14 May 2020, no antibody testing kits have been approved for home use. Accordingly, until that changes, the provision of any such test for use at home will amount to an offence.


It is important to draw a distinction between a “testing kit” and a “sampling kit”. A testing kit involves the means to take and process a sample, for example a finger prick blood sugar test commonly used to manage diabetes. Conversely a sampling kit (such as the Covid-19 antigen sampling kits provided by the UK Government) consists only of the components for collecting a sample, e.g. saliva or cheek swab, which is then returned to a laboratory for analysis. Home sampling kits benefit from a greater degree of flexibility (as the individual is not themselves undertaking the analysis) and as such CE marked kits consisting of mouth or nose swabs can typically be supplied for use in a home environment by following the self-certification procedure.

Employment law and data protection considerations

The potential advantages to testing a workforce for Covid-19 antibodies are appealing. Reliable tests could enable employers to allow their staff to return to work, in the knowledge that they have some immunity to Covid-19. However, there are both employment law and data protection considerations in:

(i) providing employees with antibody tests to use at home;

(ii) requiring employees to take an antibody test before returning to work; and

(iii) using the results of the antibody tests to shape the workforce.

The GDPR sets out that personal data is any information which itself or coupled with other information can identify a living individual. There is also a further layer of personal data known as special category data. Special category data includes (amongst others) data concerning an individual’s health, genetic and biometric data. Depending on the nature of the antibody test and the results it produces, special category data may be produced as part of the test. 

Can an employer provide an antibody test for its employees to use at home?

Assuming that employers are able to provide antibody testing kits to their staff legally (see Regulatory considerations), they will need to take steps to ensure that the test is provided safely, whether the test is administered “at home” by the employee or by arranging for the employee to see a medical practitioner who will administer the test. 

Employers would be well advised to take steps to ensure that they are not vicariously liable for either the reliability of the results of the test or the acts of the medical professionals providing the tests. Employers and insurers recently found reassurance in this regard in a Supreme Court judgement which held that an employer was not liable for the acts committed by a doctor while conducting workplace health checks (Barclays Bank plc v Various Claimants). Vicarious liability cases are often fact specific and so, to reduce risk in this area, employers should draft a clear disclaimer which explains to employees that the test is being provided by an independent company and that the employer is not liable for the administration or results of the test. 

Simply providing the antibody test does not in and of itself result in the employer facing any immediate privacy issues or concerns. If an employer does not then collect the data that is produced by the test nor require the employee to provide the test data to the employer (or any other third party), then there will be no collection and processing of personal data by the employer. The GDPR “bites” when the data is shared with the employer which can be said to be processing the data for one or more purposes. 

Can an employer require employees to take an antibody test before returning to work?

Employers cannot conduct medical tests without employees’ express consent. This would include testing for antibodies. It is unlikely that there will be an express contractual provision broad enough to require the employee to submit to an antibody test and so fresh consent should be sought. 

Ordinarily, if an employee does not comply with a reasonable instruction of an employer, the next stage would be to consider taking disciplinary action. Plainly in these circumstances, extreme caution will be needed before taking that next step.

Can an employer use the antibody data?

Where the employer intends to collect the data produced by the antibody test then a number of considerations arise:

  1. For what purpose does the employer intend on using the data?
  2. Does the employee have free choice as to whether to provide the results or not i.e. is the provision of the data voluntary; or will the employer rely on another basis other than consent?
  3. Who will have access to this data?

Question 1 raises the issue of transparency and providing the relevant information to employees to inform them of what data will be collected and for what purpose. The ICO guidance on workplace testing states “As long as there is a good reason for doing so, you should be able to process health data about COVID-19.” Consequently, an employer will need to understand what it intends to do with the data in order to ensure it has a “good reason” to process the data and to inform employees of the intended processing. These considerations overlap with the general employment considerations and whether the aims to be pursued are congruent with the rights and obligations of an employer and whether employees would expect their personal data to be used in such a fashion and for the determinations that the employer may make based on the data. 

Concurrently with the considerations of question 1, the employer will need to determine the relevant lawful basis for processing special category data. Special category data is afforded greater protection under the GDPR than general personal data, with the GDPR providing a blanket ban on the processing of special category data unless one of the bases for processing (as set out in Art 9 of the GDPR) is satisfied. In the above circumstances the most relevant bases for processing would be processing pursuant to the legitimate interests of the employer (relying on the employment condition of Art 9 GDPR) or processing with the explicit consent from the employee. Other grounds may be relevant, for example where the processing is necessary for preventative or occupational medicine, but this may only be applicable if the tests are administered by a medical professional and not by the employee at home (see Regulatory considerations). However, in the employment context, consent under the GDPR is more difficult to establish than outside of employment. Employers need carefully to consider whether the employee is free to decline to provide the antibody test results without fear of any damage to their employment.

Due to the sensitive nature of the data and the likelihood that an individual’s rights could be prejudiced based on the exposure of antibody test data to those who do not need to have access or should not have access at all to such data, employers will need to consider how to impose appropriate limits to access to the antibody test results.

The above considerations should all form part of the employer’s data protection impact assessment, which will inform the employer’s decision as to whether it can proceed with the proposed processing of personal data and what data needs to be collected (or not), or whether there is too great a risk to the rights and freedoms of the employees which cannot be mitigated.

Discrimination concerns may also come into play where an employer makes decisions based on whether an individual has antibodies to Covid-19. Considerations of disability, age, race, pregnancy and maternity, and sex discrimination are all likely to be relevant given the categories of individuals who are regarding as being most at risk. Decisions that favour an employee with antibodies over another employee may be capable of challenge on one of more of these bases.