AS Covid-19 measures relax, the Information Commissioner’s Office (ICO) has published useful guidance on what organisations need to consider about the data they process. To ensure they were following government guidelines during the pandemic, businesses were required to retain additional information, such as contact details, for tracing purposes. Now, the ICO believes these emergency measures should be reviewed and organisations should ask themselves if the data they have collected is still necessary. Ruby Ashby, associate and solicitor in Nelsons’ expert dispute resolution team, discusses.
The processes put in place by businesses to adhere to Covid-19 rules were done quickly and efficiently, in order to support the government’s ambitions to prevent the spread of the virus. While collecting personal data from employees was about keeping one another safe, as the risk appears to lessen, it’s important not to forget these processes were for a purpose.
Taking into account the latest government guidance, organisations should now be reviewing their approach to ensure that it is still reasonable, fair, and proportionate to be collecting this data under the current circumstances.
Therefore, business owners should be asking themselves:
- Will continuing to collect the extra personal data help keep your workplace safe?
- Do you still need to hold the data previously collected?
- Could you achieve the same results without collecting personal data?
During the pandemic, many businesses were collecting information regarding vaccines, such as employee vaccination status. The ICO has now stated that, in order to continue collecting vaccination data, you must be clear about what you are trying to achieve and how asking people for their vaccination status helps this.
However, if you are processing vaccination data ‘just in case’ or if you can achieve your goal without collecting this specific data, it is unlikely that you will be able to justify your actions and the data shouldn’t be retained.
To be able to lawfully process vaccination data, you need to identify a lawful basis for collecting the information. Previously, when it was a government requirement to do so, organisations could rely upon the legal obligation as a lawful basis. If, however, organisations still wish to process vaccination data, despite it no longer being a requirement to do so, they must rely upon one of the other lawful bases, which are set out in Article six of the UK GDPR.
Furthermore, as vaccination data is classed as health data, it is considered to be special category data in accordance with Article nine of the UK GDPR. Therefore, you must identify an Article nine condition for the processing of the data, for example if the individual gives explicit consent to the processing of this data.
While the tide may be turning with Covid-19, people are still testing positive for the virus so there may still be data protection elements to consider when reporting this. It is important to know that data protection law does not prevent organisations from keeping their staff informed about potential or actual Covid-19 cases among colleagues, but wherever possible you should, however, avoid naming specific individuals.
If you have any doubts about your obligations under UK GDPR, it is important to seek legal advice as soon as possible to avoid opening yourself, and your business, up to potential claims.
For more information on data protection please visit: www.nelsonslaw.co.uk/business-agreements-contracts/data-protection-solicitor/