As a result of the recent relaxation of government measures around COVID-19, the Information Commissioner’s Office (“ICO”) has published new guidance regarding what to do with additional personal data collected during the pandemic. The guidance acknowledges that employers had to adapt quickly to respond to the COVID-19 pandemic in order to keep their staff and customers safe but encourages employers to now consider the following:
- How the collection of extra personal information will keep their workplace safe.
- Whether previously collected information is still needed.
- If there are any other ways to achieve the desired result without collecting personal information.
As a result, employers should review their approach and ensure that it is still reasonable, fair and proportionate in the current circumstances. If it is determined that personal data is no longer required, then the information must be disposed of securely. Consideration must also be given to disposal of personal data that has been collected or processed where employees have been or are working remotely and the personal data is in hard copy form.
Collecting vaccination information from employees
The vaccination status of employees constitutes special category health data that is afforded additional protections under data protection laws.
Processing special category data
In order to process special category data, in accordance with the UK GDPR, an employer would need to identify both a lawful basis under Article 6 and a separate condition for processing under Article 9.
If they cannot do so, the processing of such special category data would be unlawful.
Article 6 lawful basis
Before the relaxation of the government measures, some employers relied on “legal obligation” as an Article 6 lawful basis for collecting this special category data. However, if employers now want to continue collecting this information, a different lawful basis may be required. Employers should review the lawful basis relied upon and whether it is necessary to review and update any internal policy documents or employee privacy notices to reflect this change.
In certain cases employers may be able to rely on the Article 6 “legitimate interest” lawful basis, but only where the processing is necessary for the purposes of the legitimate interest of the controller or third party. To do so, employers would need to identify the legitimate interest relied on and show that the processing is necessary to achieve it, also taking into account the data subject's interests, rights and freedoms by carrying out a Legitimate Interests Assessment.
Continued collection of vaccination information
An employer’s reason for collecting vaccination information must be both necessary and transparent. If an employer is collecting or checking this information on a ‘just in case’ basis then it is unlikely that this will be lawful, as the processing should be necessary and relevant for a specific purpose. In instances where the use of the data constitutes a high risk to individuals such as denial of employment opportunities, then a Data Protection Impact Assessment will be required but many employers will undertake a Data Protection Impact Assessment in any event, as good practice.
Can I continue to keep staff informed about COVID-19 cases in the workforce?
Employers continue to have health and safety obligations, and will likely consider it necessary to notify individuals where they may have been in contact with an employee with COVID-19. When doing so an employer must continue to be mindful of its data protection obligations, including avoiding naming individuals wherever possible and not providing more information than is necessary.
Article co-authored by Alex Reading, Trainee Solicitor at CMS
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.