Is alcohol and drug testing in the workplace a violation of privacy?

Staff manuals often contain provisions that obligate employees to cooperate in alcohol or drug testing. In some cases the policy is that such tests may be taken at random, in other cases only if there is reason to do so. Such policies are common in industry in particular, in light of the strict safety requirements.

Some time ago the Dutch Data Protection Authority (“AP”) investigated the alcohol and drug testing policy at the Uniper company. The AP had been informed that Uniper’s employees were required to agree to random alcohol and drug testing. Sanctions were imposed if employees did not agree to that policy. It was also apparent from the information received by the AP that the outcome of the alcohol tests already performed by Uniper was stored in personnel files.

The AP found in its report that the collection, analysis and (if applicable) registration of the outcome of alcohol and drug tests constituted the processing of health data within the meaning of the privacy legislation. Uniper had no valid grounds for that data processing. The employees’ permission for the testing was not given voluntarily, since the policy provided that a refusal would at the very least give rise to meeting with the manager and the imposition of sanctions. Employees were therefore put under pressure to give permission for the tests. The other grounds presented by Uniper were also considered invalid. Essentially, a statutory ground must first be created on the basis of which such tests may be performed in the workplace.

And the AP did not leave it at that. Not only the registration of the outcome of tests actually taken was in breach of privacy legislation; the same applied to pursuing a policy that provides for the possibility of taking such tests. Uniper had argued in this regard that privacy legislation was violated only if the tests were actually carried out and the results were processed. But the AP found that “a policy was put in place for the purpose of assessing or regulating the situations described in the policy in a uniform manner. In that sense it may therefore be assumed that the situations described in the policy will occur in practice. Adopted policy involving the proposed processing of personal data comes under the supervisory tasks of the Data Protection Authority.”

Since it follows from the report that, unless there is a statutory basis for doing so, taking drug or alcohol tests (or having a policy to that effect in place) is in breach of privacy legislation, employers should bear in mind that, since the introduction of the GDPR, the AP may impose significant fines for taking such tests.

One option that remains, in our opinion, is to have these tests performed by the company doctor. Doctor-patient confidentiality allows the company doctor to collect health data of the employees. But it remains to be seen whether the company doctor is available at all times to take such tests in order to prevent dangerous situations in the workplace. No agreements to that effect are likely to have been made in most OHS-contracts at this time. We will therefore have to wait and see whether the legislature will provide the necessary statutory basis.

For more information or advice on this subject please contact Michiel van Haelst or Lise van den Heuvel.