Updated ICO guidance on data protection and COVID-19 following relaxation of government measures

United KingdomScotland

As a result of the recent relaxation of government measures around COVID-19, the Information Commissioner’s Office (“ICO”) has published new guidance regarding what to do with additional personal data collected during the pandemic. The guidance acknowledges that employers had to adapt quickly to respond to the COVID-19 pandemic in order to keep their staff and customers safe but encourages employers to now consider the following:

  • How the collection of extra personal information will keep their workplace safe.
  • Whether previously collected information is still needed.
  • If there are any other ways to achieve the desired result without collecting personal information.

As a result, employers should review their approach and ensure that it is still reasonable, fair and proportionate in the current circumstances. If it is determined that personal data is no longer required, then the information must be disposed of securely. Consideration must also be given to disposal of personal data that has been collected or processed where employees have been or are working remotely and the personal data is in hard copy form.

Collecting vaccination information from employees

The vaccination status of employees constitutes special category health data that is afforded additional protections under data protection laws.

Processing special category data

In order to process special category data, in accordance with the UK GDPR, an employer would need to identify both a lawful basis under Article 6 and a separate condition for processing under Article 9.

If they cannot do so, the processing of such special category data would be unlawful.

Article 6 lawful basis

Before the relaxation of the government measures, some employers relied on “legal obligation” as an Article 6 lawful basis for collecting this special category data. However, if employers now want to continue collecting this information, a different lawful basis may be required. Employers should review the lawful basis relied upon and whether it is necessary to review and update any internal policy documents or employee privacy notices to reflect this change.

In certain cases employers may be able to rely on the Article 6 “legitimate interest” lawful basis, but only where the processing is necessary for the purposes of the legitimate interest of the controller or third party. To do so, employers would need to identify the legitimate interest relied on and show that the processing is necessary to achieve it, also taking into account the data subject's interests, rights and freedoms by carrying out a Legitimate Interests Assessment.

Continued collection of vaccination information

An employer’s reason for collecting vaccination information must be both necessary and transparent. If an employer is collecting or checking this information on a ‘just in case’ basis then it is unlikely that this will be lawful, as the processing should be necessary and relevant for a specific purpose. In instances where the use of the data constitutes a high risk to individuals such as denial of employment opportunities, then a Data Protection Impact Assessment will be required but many employers will undertake a Data Protection Impact Assessment in any event, as good practice.

Can I continue to keep staff informed about COVID-19 cases in the workforce?

Employers continue to have health and safety obligations, and will likely consider it necessary to notify individuals where they may have been in contact with an employee with COVID-19. When doing so an employer must continue to be mindful of its data protection obligations, including avoiding naming individuals wherever possible and not providing more information than is necessary.

Article co-authored by Alex Reading, Trainee Solicitor at CMS