COVID-19: ICO issues guidance on recovery phase

The ICO has issued new guidance for employers on the COVID-19 recovery phase. 

As lockdown measures start to ease, businesses are gradually reopening. Methods of returning to work will vary greatly by industry, but we will likely see a “new normal.” For example, workplaces may have additional hygiene measures and organisations might want to collect more staff data to ensure a safe working environment. 

The ICO’s guidance outlines six key requirements for businesses.

Only collect and use data that is necessary

The GDPR classifies health data as “special category data.” It therefore attracts additional protection. The ICO suggests businesses should consider:

• Whether they need to obtain the health data
• How the extra data sought will keep the workplace safe 
• If the data will meet this aim
• If this aim could be met without this personal data 
• Any approach taken must be reasonable, fair and proportionate

Keep data to a minimum

Any data collected must be necessarily required to implement the business’s measures appropriately and effectively. This is based on the GDPR’s data minimisation principle. 

Be open, clear and transparent

Businesses should be transparent when collecting the data. Individuals should know what data is being collected, why it is being collected, how the business intends to use the data and how long it will be kept. This is often set out in a privacy notice.

Treat people fairly

Any new data processing methods should be consistent. The ICO warns against discrimination through decisions made based on health data obtained.

Keep data secure

Businesses must keep any new data obtained secure, in line with all other data held. A retention policy can set out when and how personal information needs to be reviewed, deleted or anonymised.

Ensure individuals can exercise their data rights

Individuals should be informed of their data rights (including the right of access and the right to data rectification).

If using symptom checking or testing, businesses must ensure they have a lawful basis for doing so (discussed in more detail in our previous article on workplace testing). A data protection impact assessment should be used if processing health data on a large scale.

As businesses reopen, the balancing act between data required to ensure a safe environment and individuals’ own privacy rights needs to be considered. Complying with the above steps (and documenting the decisions made) will help ensure employees’ health is protected, while reducing the risk of repercussions from the ICO.