What kind of health data can we collect from the employees and our service users? What are our obligations in collecting and storing such data?
Temperature checks are generally permissible. In order to require employees to undergo a full medical check, there would need to be a contractual ability to do this in the employment contract.
In both cases, as this will amount to personal data for the purposes of the Personal Data (Privacy) Ordinance, you should inform the employee/service user in advance and the purposes for which this data will be used i.e. to determine whether there is any risk to health and safety, or to prevent the spread of infection.
There is no strict requirement to obtain consent provided the employee/service user is notified of these purposes in advance, but we recommend you do so as this amounts to sensitive personal data. You should also check if the terms of the Personal Information Collection Statement issued to employees/service users is sufficiently wide to cover these purposes.