ICO Guidance On Data Protection Compliance During COVID-19 Recovery Period

Posted in : Supplementary Articles NI on 7 July 2020
Cleaver Fulton Rankin
Issues covered: Coronavirus; Data Protection

Prompted by the easing of lockdown and the re-opening of businesses, the ICO has helpfully outlined 6 key steps that organisations need to consider when using personal data.  The Guidance is very much in keeping with data protection principles under GDPR and the Data Protection Act 2018 but it is a useful summary for employers nonetheless.

1. Only collect and use what’s necessary

This is line with the “purpose limitation” principle set out at Article 5(1)b of GDPR.  The ICO advises that organisations should ask themselves the following questions:

  • How will collecting extra personal information help keep your workplace safe? 
  • Do you really need the information?
  • Will the test you’re considering actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information? 

If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.

2. Keep it to a minimum

This is in line with the “data minimisation” principle set out at Article 5(1)c of GDPR.

Only collect information that you really need and keep it only as long as is necessary.  For example, temperature test results could be discarded immediately. 

3. Be clear, open and honest with staff about their data

This is in line with the “transparency” principle set out at Article 5(1)a of GDPR.

As with everything employee related, employee relations will be enhanced if you are open and honest with employees in relation to what you are collecting, why and what you are going to do with the data.  A clear and accessible privacy notice should be made available. 

4. Treat people fairly 

This reflects the “fairness” principle set out at Article 5(1)a of GDPR.

In keeping with general employment law principles, act fairly and ensure that your approach does not result in any kind of detriment or discrimination. 

5. Keep your employees’ information secure

This reflects the “integrity and confidentiality” principle set out at Article 5(1)f of GDPR.  As with everything employment related, keep the data safe and only keep it for as long as you absolutely need to.

6. Staff must be able to exercise their information rights

As with any data collection, the ICO expects organisations to inform individuals about their rights in relation to their personal data such as the rights of access or rectification.

More generally, the ICO has highlighted that if you decide to implement symptom checking or testing, there are additional requirements.  You need to identify a lawful basis for using the information and if you are processing health data on a large scale remember that you will need to conduct a Data Protection Impact Assessment (DPIA).

Full guidance available here:


This article is correct at 07/07/2020

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.

Cleaver Fulton Rankin

The main content of this article was provided by . Contact telephone number is 028 9024 3141

View all articles by