Employers need to revisit their data protection practices as Covid-19 measures are relaxed

3 mins

Posted on 07 Apr 2022

Employers need to revisit their data protection practices as Covid-19 measures are relaxed

New Covid data protection guidance

As Covid-19 restrictions are relaxed, much of the legislation that underpinned our lives for the last two years has expired. In response to this, the ICO have released some guidance on how this impacts data protection practices. 

Pandemic-related data – is it still necessary?

In response to the pandemic, organisations implemented emergency data practices to protect staff and customers. As Covid-19 measures are relaxed, the ICO points out that organisations need to re-assess the type of data they hold and consider whether they still need to collect and/or retain it. 

Often organisations relied on complying with a legal obligation as their reason for collecting  particular categories of “emergency data”. If the legislation is no longer in place, this is not an option, so organisations will need another lawful basis for continuing to process this data. 

The ICO recommends organisations ask themselves:

  • How will still collecting extra personal information help keep your workplace safe?
  • Do you still need the information previously collected?
  • Could you achieve your desired result without collecting personal information?

Organisations should review their approach and make sure that it is still fair and reasonable to process the data, taking into account the latest Government guidance. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice.

Where information is no longer required, it should be securely disposed of. Commonly, paper records are shredded and electronic records must be deleted from systems including from backup storage systems. 

Vaccination status

Organisations wishing to continue collecting vaccination data must be clear about their reason for doing so and about how this will help achieve their objective. The reason must be necessary and transparent. Organisations should not collect data  ‘just in case’ it is needed and if they can achieve their objective without it, they are unlikely to be able to justify collecting it.  

Organisations will have to identify a lawful basis to process vaccination data. If they have previously relied on complying with a legal obligation, it is important to check whether the legislation is still in place. If the legislation has expired or been revoked, then they will need to identify another lawful basis for processing the data. As an individual’s vaccination status is health data and classified as ‘special category data’, organisations must also identify an Article 9 condition for processing this information. The article 9 conditions include explicit consent, vital interests, substantial public interest and public health. 

In cases where the use of vaccination data is high risk to the individual, for example if it could result  in them being denied employment opportunities or services, or where an organisation is processing the data on a large scale, the organisation will need to undertake a data protection impact assessment (DPIA).

The DPIA must:

  • describe the nature, scope, context and purposes of the processing
  • assess necessity, proportionality and compliance measures
  • identify and assess risks to individual; and
  • identify any additional measures to mitigate those risks

As well as considering data protection issues, organisations collecting vaccination data should also keep in mind:

  • employment law and employment contracts (where employers are considering checking employees’ COVID status)
  • health and safety requirements and
  • equalities and human rights, including privacy rights

Positive Covid cases in the workforce

The guidance confirms that there is nothing to stop organisations from keeping staff informed of a positive case in the workforce, however, they should avoid naming the individual(s) without their consent and should not give more information than is necessary. 

Key Contacts :

Piers Leigh-Pollitt

Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

Mike Hibberd

Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.

  • Legal Director
  • T: +44 (0)118 951 6765
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top