ICO Guidance On Data Protection Compliance During COVID-19 Recovery PeriodPosted in : Supplementary Articles NI on 7 July 2020
Prompted by the easing of lockdown and the re-opening of businesses, the ICO has helpfully outlined 6 key steps that organisations need to consider when using personal data. The Guidance is very much in keeping with data protection principles under GDPR and the Data Protection Act 2018 but it is a useful summary for employers nonetheless.
1. Only collect and use what’s necessary
This is line with the “purpose limitation” principle set out at Article 5(1)b of GDPR. The ICO advises that organisations should ask themselves the following questions:
- How will collecting extra personal information help keep your workplace safe?
- Do you really need the information?
- Will the test you’re considering actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information?
If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
2. Keep it to a minimum
This is in line with the “data minimisation” principle set out at Article 5(1)c of GDPR.
Only collect information that you really need and keep it only as long as is necessary. For example, temperature test results could be discarded immediately.
3. Be clear, open and honest with staff about their data
This is in line with the “transparency” principle set out at Article 5(1)a of GDPR.
As with everything employee related, employee relations will be enhanced if you are open and honest with employees in relation to what you are collecting, why and what you are going to do with the data. A clear and accessible privacy notice should be made available.
4. Treat people fairly
This reflects the “fairness” principle set out at Article 5(1)a of GDPR.
In keeping with general employment law principles, act fairly and ensure that your approach does not result in any kind of detriment or discrimination.
5. Keep your employees’ information secure
This reflects the “integrity and confidentiality” principle set out at Article 5(1)f of GDPR. As with everything employment related, keep the data safe and only keep it for as long as you absolutely need to.
6. Staff must be able to exercise their information rights
As with any data collection, the ICO expects organisations to inform individuals about their rights in relation to their personal data such as the rights of access or rectification.
More generally, the ICO has highlighted that if you decide to implement symptom checking or testing, there are additional requirements. You need to identify a lawful basis for using the information and if you are processing health data on a large scale remember that you will need to conduct a Data Protection Impact Assessment (DPIA).
More on Data Protection & Freedom of Information
- Can an employer refuse a request from an unsuccessful job applicant to delete any of their data in its possession as it may be necessary for the defence of legal claims?
- If employees willingly provide personal email addresses at the start of their employment and their personal email addresses were used to contact them while they worked from home during the Coronavirus Lockdown, is this a breach of data protection?
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.