In response to the recent relaxation of Covid-19 measures, the Information Commissioner’s Office (ICO) has published updated guidance to help organisations and employers navigate their data protection obligations. Data protection and Coronavirus-19 – relaxation of government measures | ICO
Amongst other things, the updated guidance recommends that employers:
- Consider what data is still required. Employers should review their current approach and consider whether the personal data they have been collecting during the pandemic is still necessary. They should ensure that it is still reasonable, fair and proportionate to the current circumstances, taking the latest Government guidance into account.
- Assess any additional personal data collected and retained during the pandemic and ensure that they securely dispose of any data that is no longer required.
- If continuing to collect vaccination information, they must be clear about what they are trying to achieve and how asking people for their vaccination status will help to achieve this. Employers will need to review the lawful basis for collecting vaccination information, and if they previously relied on “legal obligation”, they will need to identify another lawful basis if the relevant legislation has expired. Employers must also identify a condition for processing special category data as a person’s vaccination status is health data. The ICO notes that keeping vaccination status data ‘just in case’ or for monitoring purposes only is going to be more difficult to justify.
- Keep in mind that data protection law does not prevent employers from keeping staff informed about potential or confirmed COVID-19 cases among colleagues. However, employers should avoid naming individuals wherever possible should not provide more information than is necessary.
This is only intended to be a summary and not specific legal advice. If you would like further information or advice, please do contact a member of our team.