As lockdown restrictions start to ease and businesses begin to reopen, the ICO has set out the key steps organisations need to consider in relation to the use of personal information. Here we set out these six key steps and make recommendations for employers.
The ICO’s six key data protection steps
1. Only collect and use what’s necessary
This reflects the data protection principle of “purpose limitation”.
To help you decide if collecting and using employees’ health data is necessary to keep your staff safe, you should ask yourself the following questions:
If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
This reflects the data protection principle of “data minimisation”.
When collecting personal information, including people’s Covid-19 symptoms or any related test results, organisations should collect only the information needed to implement their measures appropriately and?effectively.
Don’t collect personal data that you don’t need. In some cases, some information only needs to be held for a short period, and there is no need to create a permanent record.
3. Be clear, open and honest with staff about their data
This reflects the data protection principle of “transparency”: employees have a right to know how their information will be handled.
Some employees may be affected by some of the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy notice.
This reflects the data protection principle of “fairness”.
If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair. Think carefully about any detriment they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination.
5. Keep your employees’ information secure
This reflects the data protection principles of “integrity and confidentiality” and “storage limitation”.
Any personal data you hold must be kept securely and only held for as long as is necessary.
6. Staff must be able to exercise their information rights
As with any data collection, organisations must inform individuals about their rights in relation to their personal data, such as the right of access or rectification. Staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with organisations.
Legal basis for processing
As well as following these principles, if you decide to implement symptom checking or testing, you must identify a lawful basis for using the information you collect.
We recommend that employers avoid reliance on “consent” as the legal basis, as employee consent is unlikely to be valid for data protection purposes as employees do not have a free and genuine choice. The most appropriate legal basis, therefore, will be that the collection of health data is in the “legitimate interests” of the employer, such interests not being overridden by the interests of the employees.
In addition, as health data is one of the “special categories” of personal data, an additional lawful basis is required. Again, we recommend that employers avoid reliance on “explicit consent”, and instead rely on the necessity to process the information to comply with the employer’s health and safety at work obligations.
Finally, if you are processing health data on a “large-scale”, you will also need to conduct a “data protection impact assessment” (DPIA). The GDPR does not define what constitutes large-scale. In essence, this will be determined mainly by the number of employees involved. While a small business is unlikely to be processing employee data on a large-scale, even if you are not strictly required to carry out a DPIA, it is good practice to do so.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.
Articles and commentary by our legal experts on the impact of Covid-19 are all available here.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.