Employers need to revisit their data protection practices as Covid-19 measures are relaxed

New Covid data protection guidance

As Covid-19 restrictions are relaxed, much of the legislation that underpinned our lives for the last two years has expired. In response to this, the ICO have released some guidance on how this impacts data protection practices. 

Pandemic-related data – is it still necessary?

In response to the pandemic, organisations implemented emergency data practices to protect staff and customers. As Covid-19 measures are relaxed, the ICO points out that organisations need to re-assess the type of data they hold and consider whether they still need to collect and/or retain it. 

Often organisations relied on complying with a legal obligation as their reason for collecting  particular categories of “emergency data”. If the legislation is no longer in place, this is not an option, so organisations will need another lawful basis for continuing to process this data. 

The ICO recommends organisations ask themselves:

• How will still collecting extra personal information help keep your workplace safe?
• Do you still need the information previously collected?
• Could you achieve your desired result without collecting personal information?

Organisations should review their approach and make sure that it is still fair and reasonable to process the data, taking into account the latest Government guidance. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice.

Where information is no longer required, it should be securely disposed of. Commonly, paper records are shredded and electronic records must be deleted from systems including from backup storage systems. 

Vaccination status

Organisations wishing to continue collecting vaccination data must be clear about their reason for doing so and about how this will help achieve their objective. The reason must be necessary and transparent. Organisations should not collect data  ‘just in case’ it is needed and if they can achieve their objective without it, they are unlikely to be able to justify collecting it.  

Organisations will have to identify a lawful basis to process vaccination data. If they have previously relied on complying with a legal obligation, it is important to check whether the legislation is still in place. If the legislation has expired or been revoked, then they will need to identify another lawful basis for processing the data. As an individual’s vaccination status is health data and classified as ‘special category data’, organisations must also identify an Article 9 condition for processing this information. The article 9 conditions include explicit consent, vital interests, substantial public interest and public health. 

In cases where the use of vaccination data is high risk to the individual, for example if it could result  in them being denied employment opportunities or services, or where an organisation is processing the data on a large scale, the organisation will need to undertake a data protection impact assessment (DPIA).

The DPIA must:

• describe the nature, scope, context and purposes of the processing
• assess necessity, proportionality and compliance measures
• identify and assess risks to individual; and
• identify any additional measures to mitigate those risks

As well as considering data protection issues, organisations collecting vaccination data should also keep in mind:

• employment law and employment contracts (where employers are considering checking employees’ COVID status)
• health and safety requirements and
• equalities and human rights, including privacy rights

Positive Covid cases in the workforce

The guidance confirms that there is nothing to stop organisations from keeping staff informed of a positive case in the workforce, however, they should avoid naming the individual(s) without their consent and should not give more information than is necessary.