In response to the government’s relaxation on COVID-19 restrictions, the UK’s data protection regulator, the Information Commissioner’s Office (the ICO), has published guidance for employers on their data protection obligations.
By way of summary, the guidance makes the following recommendations to employers:
- That they consider the emergency practices that they put in place during COVID-19 and decide whether the data they collect is still necessary. They should review their approach and ensure that it is still reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account.
- That they assess any additional information which was collected and kept during the pandemic and if it is no longer required, that it should be confidentiality destroyed.
- If they are still collecting vaccination information, they should be clear about what they are trying to achieve and how asking people for their vaccination status helps to achieve this objective. Employers’ use of this data must be fair, relevant and necessary for a specific purpose and there must be a compelling reason to collect this information. The ICO also reminded employers that their reason for checking or recording vaccination status must be necessary and transparent. If employers cannot specify a use for this information and are checking it on a “just in case” basis, or if they can achieve their goal without collecting this data, they are unlikely to be able to justify collecting it.
- That the existing data protection compliance requirements apply to collection of COVID-19 data, such as identifying a legal basis and conducting a risk assessment where data is likely to be a high risk to individuals.
- Although they will need to manage positive cases in the workforce and will need to keep staff informed, they should avoid naming individuals wherever possible and should not provide more information than is necessary.