In light of lockdown restrictions continuing to be lifted and organisations planning to reopen, the UK Information Commissioner's Office ("ICO") has outlined six steps businesses in the UK will need to consider when using personal data, and especially health personal data, as a part of their COVID-19 recovery plans.
The six steps do not represent new regulations but they are considerations that businesses need to keep in mind in order to demonstrate compliance with their data protection obligations under the General Data Protection Regulation and the Data Protection Act 2018.
The six steps are:
1. Only collect and use what's necessary
Businesses should only collect and use people's health data which is necessary to keep their staff safe.
The ICO recommends that before businesses collect additional data, they should consider how collecting extra personal information will help keep the workplace safe and if they really need the information, or if it is possible to achieve the same result without collecting additional personal data.
If businesses decide to introduce symptom checking or testing of their staff and / or visitors, there are additional requirements that businesses need to follow. These include identifying a lawful basis for collecting and using the information collected and, if they are processing health data on a large scale, conducting a data protection impact assessment. The ICO has published a list of frequently asked questions in relation to employee testing which can be a helpful resource and we are running a global series Back to Business – Employment & Benefits Global Broadcast Series which covers key legal concerns that employers now need to consider in different jurisdictions, such as workplace health and safety, testing and privacy.
2. Keep it to a minimum
When collecting information, including about people's COVID-19 symptoms or any related test results, businesses should only collect the minimum personal information needed to implement their measures appropriately and effectively (data minimisation).
Businesses should not collect personal data that they don't need and should consider carefully for how long the additional personal data collected needs to be held for.
3. Be clear, open and honest with staff about their data
Businesses should be open with their staff about how the information collected about the staff will be used and why the business wishes to collect the additional personal information, including what the implications for the staff might be of providing the additional personal information (e.g. that they might not be able to work from the office for some time if they have COVID-19 symptoms).
Business should also let employees know who they will share this information with (e.g. insurers, the landlord and other tenants of shared office spaces, regulators) and for how long they intend to keep it. Business can do this by amending their existing privacy notice or creating a new privacy notice specifically for COVID-19.
4. Treat people fairly
If businesses are making decisions about staff based on the health information collected, they must make sure that their approach is fair. In particular, the ICO cautions against any detriment employees might suffer as a result of the data collection policy (e.g. discrimination against vulnerable individuals, carers or employees who have multiple jobs).
5. Keep people's information secure
The ICO reminds businesses that any personal data they hold must be kept securely, only held for as long as is necessary and deleted or (if applicable) anonymised in accordance with their data retention policy.
6. Staff must be able to exercise their information rights
The ICO expects businesses to inform individuals about their rights in relation to their personal data, such as the right of access or rectification. The ICO reminds businesses that staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have.