The Information Commissioners Office (ICO) has set out some key considerations organisations need to review around the use of personal information now that Covid-19 measures are relaxing across the UK. Guidance varies between England, Northern Ireland, Scotland and Wales, writes Rachel Waller, one of solicitors Bishop and Sewell’s Data Protection law specialists.
Is it still necessary?
Organisations have had to adapt quickly to respond to the COVID-19 pandemic in order to keep their staff and customers safe. As government measures across the UK relax, these emergency practices should be reviewed to help you decide if the information you have been collecting is still necessary. You should ask yourself a few questions:
- How will still collecting extra personal information help keep your workplace safe?
- Do you still need the information previously collected?
- Could you achieve your desired result without collecting personal information?
You should review your approach and ensure that it is still reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account. View our guidance on necessity for further information.
Retaining information collected during the COVID-19 pandemic
You may have retained additional personal information during the COVID-19 pandemic in line with government guidelines.
You should assess any additional information which you collected and retained during the pandemic and ensure that you securely dispose any information that is no longer required.
Should we still collect vaccination information?
If you are continuing to collect vaccination information, you must be clear about what you are trying to achieve and how asking people for their vaccination status helps to achieve this.
Your use of this data must be fair, relevant and necessary for a specific purpose. You should check government guidance which has been published for England, Northern Ireland, Scotland and Wales. If you wish to collect this information, there must be a compelling reason for you to do so.
Data protection is one of a number of factors to consider when thinking about collecting this information. You should also take into account:
- employment law and your contracts with employees (if you are considering checking employees’ COVID status);
- health and safety requirements; and
- equalities and human rights, including privacy rights.
Your reason for checking or recording vaccination status must be necessary and transparent. If you cannot specify a use for this information and are checking it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.
The use of this information must not result in any unfair treatment of employees, customers, or visitors. You should only use it for purposes they would reasonably expect.
Your processing of this information must be fair and if the collection or use of COVID status information is likely to have a negative consequence for someone, you must be able to justify it.
You will need to identify a lawful basis for collecting this information. If you previously relied on legal obligation as your lawful basis and still want to collect this information, you will need to identify another lawful basis if the legislation relied upon has expired. As a person’s vaccination status is health data, which has the protected status of ‘special category data’ under data protection law it requires extra protection. Therefore you must also identify an Article 9 condition for processing this information (i.e. the conditions set out under Article 9 of the GDPR).
If the use of this data is likely to result in a high risk to individuals (e.g. denial of employment opportunities or services), or you will be processing health data on a large scale, then you need to complete a data protection impact assessment.
Managing positive cases in the workforce
Data protection law doesn’t prevent you from keeping staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals wherever possible, and you should not provide more information than is necessary.
For data protection matters, please contact our expert Data Protection team on [email protected] or call them on quoting reference CB312 on 020 7631 4141.
For more general property dispute matters, please contact our expert Litigation and Dispute Resolution team on [email protected] or call them on quoting reference CB312 on 020 7631 4141.
About Bishop & Sewell LLP
Bishop & Sewell is a long-established, full service Central London law firm – with an international reach – specialising in Personal, Property and Commercial legal matters. To learn more, visit www.bishopandsewell.co.uk