Until recently, workplace drug testing across Europe was a tricky business, with policy guidelines varying drastically from country to country. In 2018, however, the European Union implemented a bold data privacy law that sent shockwaves across the globe and completely changed the way that companies dealt with their data.
The General Data Protection Regulation (GDPR), which came into effect on May 25th 2018, was put in place to give individuals more authority over their own data. The definition of “data” however, is quite sweeping.
According to the European Commission, personal data refers to “any information relating to an individual, whether it relates to his or her private, professional or public life.” So, it can be anything from a name, a home address or a photo to an email address or even a social media post. Essentially, any information that could be loosely classified as “personal.” and it doesn’t get much more personal than DNA.
So, as laboratories that handle incredibly personal information, what responsibilities do we have when ensuring that our tests comply with these rules and what do workplaces need to do to ensure their tests are compliant?
There’s no getting around it - GDPR has had a substantial effect on all workplace testing practices across the continent by redrawing the lines when it comes to individual employee data rights. This includes data related to drug and alcohol use.
The law under GDPR states that data can’t be collected without consent or a “clearly permissible purpose”, which refers to situations where the legitimate interest of the employer in testing for drugs outweighs the fundamental rights of the employee due to workplace and public safety.
Under the GDPR, data cannot be collected from an individual without consent or a permissible purpose. Data collection based on consent is also subject to certain constraints to ensure the consent is truly voluntary. In an employer/employee situation, the “imbalance of power” means that it is often debatable that personal data was given willingly. In such a landscape, the scales have tipped away from businesses and towards the individual.
In a situation where so many UK workers are turning to drugs or alcohol as a means of escape and then bringing the hangovers and the comedowns with them into work, businesses are beginning to realise they have a duty of care for their employees. Working under the influence can have a potentially fatal impact, particularly in high-risk sectors such as construction or policing.
So, how can employers and labs alike collect and process such sensitive information without falling afoul of the law? Is it all down to consent, or is the answer a little more complicated?
What does the employer need to do?
Barratt Developments - one of the largest residential property development companies in the UK - caused a great deal of noise late last year when a 20% rise in injury rates caused them to take drastic measures and instigate randomised drug and alcohol testing. A company spokesperson said: “In a high-risk industry like construction, drugs and alcohol and work are not compatible.” They have a point, but GDPR has made the process of drug and alcohol testing that much more complex.
Workplace drug testing or pre-employment screening is never explicitly mentioned within the GDPR, of course, though there is a section on “medical information” and “health data” which lists a lawful basis for collection. GDPR requires that employers have a policy document in place that clearly states how data that is deemed a “special category of personal data” is handled in line with GDPR legislation.
Employers should be required to complete a privacy impact assessment, which will help to ensure that the scope and method of testing and screening (alongside the way in which test results are handled) are both appropriate and justifiable.
Besides pre-employment screening, the most common justifiable legal basis for processing drug and alcohol test results will be for health and safety reasons. However, there might be room for further justification where substance use would breach the employment contract or cause serious damage to your business. It will also be that much easier to implement random drug testing in a high-risk environment such as a warehouse or manufacturing environment. If you’re relying on business interests as a legal basis for testing, however, you must ensure this is outlined in your policy document.
The GDPR states that it is legal to collect medical information only when it is necessary “for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”
Employers and HR departments need to consider that both health data and criminal histories are classified as sensitive data. This data needs to be treated with the utmost respect in a post-GDPR world. In essence, if employers wish to avoid falling outside of the new guidelines, the amount of personal information being stored needs to be minimised - the only stored data should be relevant data.
There should also be considerations regarding how long that data is being stored for. Greater levels of transparency are also required, which means employers telling their employees which drugs are being tested for, the reasons for the collection and providing employees with access to their information.
Employers must ensure that testing is of sufficient technical quality and subject to rigorous quality control procedures. Any testing must also be overseen by someone who is suitably qualified. Random selection also needs to be just that - random. The exception is if an individual is under suspicion for a verifiable reason, in which case they should always be told why they have been selected. Finally, it is always wise to offer your employees an ‘amnesty period’, allowing staff with existing dependencies time to address their problems prior to screening. These kinds of employee wellness programmes can be crucial when it comes to solving the problem without seriously upsetting anyone.
On the employer’s end it all comes down to properly formulated policy. The process must be carried out with the greatest of care, as employees could reasonably claim for unfair dismissal if measures are not met and the process is handled poorly. Any action taken as a result of testing is likely to be challenged in a tribunal, so you need to ensure you are on the strongest legal ground possible.
What do labs need to do?
In order to comply with GDPR, laboratories need to ensure the minimum invasion of privacy for the employee and that confidential information is being kept safe and secure. This means ensuring that results can’t be tampered with, that all samples are from the employees believed to be under the influence and that the results are analysed and interpreted to 100% accuracy.
Processing and retention of the results must also be limited specifically to those who need to know. This might mean investing more heavily in cybersecurity infrastructure if you are worried about data being accessed remotely. Labs should also make sure they have set up password protected emails due to the sensitive nature of the data.
Testing should be about securing a safer and more productive workplace, not shaming employees and putting their private lives under the microscope. This means only testing for drugs that could have an impact on health, safety and employee performance.
All laboratories that are accredited by the UK's Accreditation Service should have satisfied assessors that they will provide a service that meets all testing criteria. Cansford Labs is accredited to ISO 17025 standard and is re-examined annually to ensure we are conforming to the latest standards, including those posed by GDPR. This means that technical competency, process validity, customer service and adherence to internal auditing has been reliably assessed within the last 12 months.
The penalty for breaching the new data protection laws can be as high as 4% of annual turnover or €20 million, whichever is greater. In such an environment, the implications for not getting completely unambiguous consent can be quite severe. However, complying with GDPR is not only about consent, but about how data is handled and how data is controlled.
GDPR has posed significant challenges to many businesses, particularly HR departments. In order to keep that business running effectively in the face of such turmoil, however, workplace drug testing must be taken into consideration when examining procedural operation. All European employers must understand that GDPR exists to protect privacy above all else, and when it comes to something as sensitive as drug testing, that was always going to result in a few more hurdles to navigate.
Shifting lanes in business is always tricky, of course, but for testing labs, the difficulty will be in making sure employers are aware of the logistics and are keeping the information secure by sharing it only when absolutely necessary with relevant parties.
If both sides can work together to create a structured drugs testing policy where information is only shared with relevant parties and those that are being tested are aware of exactly why they are being tested (as well as what they’re being tested for), then disruption should be minimal and we can all feel more secure working in an environment where privacy truly matters.
Subscribe to Email Updates
Posts by Topic
- Hair drug testing
- Workplace Drug Testing
- Family Court
- Drug and alcohol testing
- Drug testing
- Drug test results
- hair strand drug testing
- Cansford Laboratories
- Hair Collection
- In the press...
- Alcohol testing
- Laboratory accreditation
- Chain of Custody
- Frequently Asked Questions
- New psychoactive substances
- Did you know?
- Drug and DNA testing
- Drug test costs
- Steroid Testing
- drug testing in sport
- ethics of hair testing
- Expert witness
- Oral fluid testing
- Scientific Presentations
- social workers