On 12 June 2020, the UK’s Information Commissioner’s Office (ICO) issued new guidance for organisations on the coronavirus (COVID-19) recovery phase (Guidance).
The Guidance (available here) forms part of the ICO’s wider data protection and coronavirus information hub (available here) which aims to help organisations navigate data protection during this unprecedented time.
The new Guidance comes as the lockdown measures start to ease and businesses begin to reopen. It sets out six key data protection steps that organisations need to consider around the use of personal data.
- Only collect and use data that is necessary
Reopening organisations may implement additional health and safety measures. While this will vary between different sectors and industries, many organisations will want to collect additional personal data from their staff to ensure a safe working environment. Organisations are encouraged to consider the following questions:
- How will collecting extra personal data help to keep your workplace safe?
- Do you really need the information?
- Will the test you are considering actually help you provide a safe environment?
- Could you achieve the same result without collecting personal data?
Any approach taken must be reasonable, fair, and proportionate to the circumstances.
- Keep data to a minimum
Any personal data collected, including individual’s COVID-19 symptoms or test results, must be necessary to implement the organisation’s measures appropriately and effectively. This is based on the EU General Data Protection Regulation (GDPR) data minimisation principle.
The Guidance emphasizes that some personal data needs to be retained for a short period of time and with no permanent records.
The ICO has previously issued guidance on data minimisation to help organisations make these decisions. The guidance is available here.
- Be open, clear, and transparent
Organisations must be mindful about how individuals may be affected by some of the additional measures taken with regard to COVID-19. Organisations should be transparent about the way they collect personal data by having a clear and accessible privacy notice. The privacy notice should set out what personal data is being collected, why it is being collected, and how the organisation will use this personal data, including what the implications for the individual will be. Individuals should also know whom their personal data will be shared with and for how long it will be kept.
- Treat people fairly
The Guidance highlights the need to treat all staff fairly and warns against discrimination through decisions that are made based on the health information collected.
- Keep data secure
Organisations must keep all personal data secure and only for as long as is necessary. A retention policy should be in place that sets out how and when personal data will to be reviewed, deleted, or anonymised.
- Ensure that individuals can exercise their data rights
Individuals should be informed of their rights in relation to their personal data, including the right of access and rectification.
If organisations have implemented processes for symptom checking or testing their employees, they need to ensure that they have a lawful basis for doing so. A data protection impact assessment will be necessary if collecting and processing health data is being done on a large scale.
The ICO has previously made it clear that data protection law does not prevent organisations from taking necessary steps to ensure the safety of their staff and the public, so long as personal data is handled responsibly and carefully. The new Guidance emphasizes that organisations will need to strike a balance between creating a safe working environment and protecting individual’s privacy rights. Organisations that follow the ICO’s guidance will ensure that this balance is met, and they will reduce the risk of the ICO taking regulatory action against them.