Request ID: FOI-0920-2122 Date published: 31 August 2021
You asked
1. Please could you detail:
a. the thermal technologies and / or products you use to scan employees and/or visitors, including whether you use a thermal ‘gun’-style scanner or thermal imaging cameras,
b. their claimed accuracy in detecting core body temperature,
c. the metrics used to determine whether to flag individuals, whether those metrics include temperature and the emphasis placed on that temperature?
d. The basis for the metrics deployed and how these were decided?
2. Can you please confirm if you are using these technologies on a trial basis or if you have fully implemented them within your organisation?
3. Please can you explain what the consequences may be if an individual is flagged as having an elevated temperature/[other metric], and explain how and by whom in your organisation those decisions may be made? (A decision tree would be very useful)
4. Articles 13 and 14 GDPR require certain information to be provided to data subjects upon collection of their data. Can you please clarify where your privacy notice can be found and provide a copy of it?
5. Can you advise as to whether a Data Protection Impact Assessment (DPIA) under Section 35 GDPR has been completed, and if so, provide me a copy? Can you advise if you have sought the views of affected individuals or their representatives?
6. Can you describe the nature of the processing you are conducting through your use of thermal technologies including:
a. the type(s) of data /information collected?
b. how you collect the data?
c. the number of individuals you collect data from?
d. your relationship with these individuals (employees, customers, visitors, etc)?
e. whether these individuals include children or other vulnerable people?
f. the extent, frequency and duration of the data processing?
g. how you store the data collected?
h. how you use the data collected?
i. who has access to the data?
j. who you share the data with?
k. whether you use any processors?
l. what your retention periods are?
m. any security measures you put in place to protect the data?
7. Can you describe your lawful basis for the processing under the GDPR? If your use of thermal technologies is based on consent, please can you demonstrate that consent is fully informed (and explain how), explicit and freely given, and that there are no adverse consequences for those who decline?
8. Could you explain any safeguards which you have put in place to prevent against discrimination towards people with protected characteristics? Have you conducted an equality or human rights impact assessment, if so, could you provide us with a copy of this?
We answered
Our Ref: FOI-0920-2122
Thank you for your request received on 5 August 2021 asking for information about the use of thermal screening.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. I can confirm we hold some of the information you require.
Throughout the pandemic we have utilised a range of approaches to help minimise risk to staff and customers. This has included the free distribution of face coverings to commuters and their provision to all operational staff, an enhanced cleaning regime across our network, participating in the Department of Health’s asymptomatic testing trial, and working with six bus operators to trial temperature testing of their staff. Some of these trials involved the use of hand held devices and some utilised a screen which people stood in front of. However, we concluded that this was not something TfL would look to roll out, although some operators decided to keep using them. Please see the attached report regarding the trial. Please note that the research was commissioned (and fieldwork begun) before the Medicines and Healthcare Products Regulatory Agency stated that temperature checks should not be relied upon (on 3 July 2020).
The London bus network is operated by bus companies operating under contract to TfL and those companies employ the staff who have participated in temperature testing; during the trial ‘All data were anonymised through a pseudo-anonymisation process which replaced the driver ID with a non-descriptive key’ (see paragraph 3.3 of the report) but to the extent that any personal data has been processed as a result of the testing, the bus company would be the controller of that data.
It should also be noted that some suppliers/contractors at TfL construction sites may use thermal screening. This activity was neither requested nor endorsed by TfL. Any such activity at locations where TfL is responsible for the site (i.e. where TfL is the Principal Contractor) has ceased.
As TfL is not carrying out temperature testing or screening of individuals we have not produced a Data Protection Impact Assessment or privacy notice relating to such activity and nor do we hold information relating to your questions 6-8.
If this is not the information you are looking for, or if you are unable to access it for some reason, please feel free to contact me.
Please see the attached information sheet for details of your right to appeal.
Yours sincerely
Gemma Jacob Senior FOI Case Officer FOI Case Management Team General Counsel Transport for London
