The term, General Data Protection Regulation (GDPR) has sent a shiver down the spine of many companies, mainly due to a misunderstanding of what GDPR actually means for alcohol and drug testing in the workplace.
GDPR is not a standalone piece of legislation. The Data Protection Act 2018 sits alongside the GDPR and tailors how it is applied in the UK. Workplace alcohol and drug testing is not directly mentioned by the GDPR, but the rules concerning alcohol and drug testing in the workplace have not fundamentally changed from the introduction of the Data Protection Act 2018 and the GDPR.
We have received a number of enquiries regarding the impact that the GDPR may have on alcohol and drug testing in the workplace, especially with using the term consent. Some believe that the term consent should no longer be used when testing an employee, however, this is incorrect, the term consent is permissible.
An employee giving consent to be tested is not the same as an employee giving consent for their data to be used. This is where there is, understandably some concern and confusion about consent and whether discipline could be applied if consent to be tested is not provided by the employee. If an employee does not provide consent to be tested or refused to comply with the testing process, discipline can be applied the same as a positive test result.
There is also some confusion as to whether alcohol and drug testing in the workplace is a medical intervention. The General Medical Council does not consider this testing a medical intervention and the Information Commissioner’s Office does not consider alcohol and drug test results as medical records, they are actually defined in a similar way to HR or Health and Safety records.
Therefore, trying to apply the same rules that govern medical interventions is not correct, nor is the requirement that employees should be informed of their test results before their employer.
GDPR contains 6 principles:
- Personal data should be processed fairly, lawfully and in a transparent manner.
- Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
- The data should be adequate, relevant and not excessive.
- The data should be accurate and when necessary kept up to date.
- Data should not be kept for longer than necessary.
- Data should be kept secure.
Providing a company can satisfy the principles above then the collection of employee personal data for alcohol and drug testing in the workplace would be compliant. Hampton Knight’s testing procedures are compliant with not only GDPR but also the Data Protection Act 2018.
If you would like more information regarding Alcohol & Drug testing or a free consultation, please contact Hampton Knight on 01827 65999