Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


by uma


AS Covid-19 measures relax, the Information Commissioner’s Office (ICO) has published useful guidance on what organisations need to consider about the data they process. To ensure they were following government guidelines during the pandemic, businesses were required to retain additional information, such as contact details, for tracing purposes. Now, the ICO believes these emergency measures should be reviewed and organisations should ask themselves if the data they have collected is still necessary. Ruby Ashby, associate and solicitor in Nelsons’ expert dispute resolution team, discusses. 

The processes put in place by businesses to adhere to Covid-19 rules were done quickly and efficiently, in order to support the government’s ambitions to prevent the spread of the virus. While collecting personal data from employees was about keeping one another safe, as the risk appears to lessen, it’s important not to forget these processes were for a purpose. 

Taking into account the latest government guidance, organisations should now be reviewing their approach to ensure that it is still reasonable, fair, and proportionate to be collecting this data under the current circumstances. 

Therefore, business owners should be asking themselves: 

  • Will continuing to collect the extra personal data help keep your workplace safe? 
  • Do you still need to hold the data previously collected? 
  • Could you achieve the same results without collecting personal data? 

Vaccination information 

During the pandemic, many businesses were collecting information regarding vaccines, such as employee vaccination status. The ICO has now stated that, in order to continue collecting vaccination data, you must be clear about what you are trying to achieve and how asking people for their vaccination status helps this. 

However, if you are processing vaccination data ‘just in case’ or if you can achieve your goal without collecting this specific data, it is unlikely that you will be able to justify your actions and the data shouldn’t be retained. 

To be able to lawfully process vaccination data, you need to identify a lawful basis for collecting the information. Previously, when it was a government requirement to do so, organisations could rely upon the legal obligation as a lawful basis. If, however, organisations still wish to process vaccination data, despite it no longer being a requirement to do so, they must rely upon one of the other lawful bases, which are set out in Article six of the UK GDPR. 

Furthermore, as vaccination data is classed as health data, it is considered to be special category data in accordance with Article nine of the UK GDPR. Therefore, you must identify an Article nine condition for the processing of the data, for example if the individual gives explicit consent to the processing of this data. 

Positive cases 

While the tide may be turning with Covid-19, people are still testing positive for the virus so there may still be data protection elements to consider when reporting this. It is important to know that data protection law does not prevent organisations from keeping their staff informed about potential or actual Covid-19 cases among colleagues, but wherever possible you should, however, avoid naming specific individuals. 

If you have any doubts about your obligations under UK GDPR, it is important to seek legal advice as soon as possible to avoid opening yourself, and your business, up to potential claims. 

For more information on data protection please visit: www.nelsonslaw.co.uk/business-agreements-contracts/data-protection-solicitor/ 



You may also like