As lockdown restrictions start to ease and businesses begin to reopen, the ICO has set out the key steps organisations need to consider in relation to the use of personal information. Here we set out these six key steps and make recommendations for employers.
The ICO’s six key data protection steps
- Only collect and use what’s necessary
- Keep it to a minimum
- Be clear, open and honest with staff about their data
- Treat people fairly
- Keep your employees’ information secure
- Staff must be able to exercise their information rights
1. Only collect and use what’s necessary
This reflects the data protection principle of “purpose limitation”.
To help you decide if collecting and using employees’ health data is necessary to keep your staff safe, you should ask yourself the following questions:
- How will collecting extra personal information help keep your workplace safe?
- Do you really need the information?
- Will the test you’re considering actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information?
If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
2. Keep it to a minimum
This reflects the data protection principle of “data minimisation”.
When collecting personal information, including people’s Covid-19 symptoms or any related test results, organisations should collect only the information needed to implement their measures appropriately and?effectively.
Don’t collect personal data that you don’t need. In some cases, some information only needs to be held for a short period, and there is no need to create a permanent record.
3. Be clear, open and honest with staff about their data
This reflects the data protection principle of “transparency”: employees have a right to know how their information will be handled.
Some employees may be affected by some of the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy notice.
4. Treat people fairly
This reflects the data protection principle of “fairness”.
If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair. Think carefully about any detriment they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination.
5. Keep your employees’ information secure
This reflects the data protection principles of “integrity and confidentiality” and “storage limitation”.
Any personal data you hold must be kept securely and only held for as long as is necessary.
6. Staff must be able to exercise their information rights
As with any data collection, organisations must inform individuals about their rights in relation to their personal data, such as the right of access or rectification. Staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with organisations.
Legal basis for processing
As well as following these principles, if you decide to implement symptom checking or testing, you must identify a lawful basis for using the information you collect.
We recommend that employers avoid reliance on “consent” as the legal basis, as employee consent is unlikely to be valid for data protection purposes as employees do not have a free and genuine choice. The most appropriate legal basis, therefore, will be that the collection of health data is in the “legitimate interests” of the employer, such interests not being overridden by the interests of the employees.
In addition, as health data is one of the “special categories” of personal data, an additional lawful basis is required. Again, we recommend that employers avoid reliance on “explicit consent”, and instead rely on the necessity to process the information to comply with the employer’s health and safety at work obligations.
Finally, if you are processing health data on a “large-scale”, you will also need to conduct a “data protection impact assessment” (DPIA). The GDPR does not define what constitutes large-scale. In essence, this will be determined mainly by the number of employees involved. While a small business is unlikely to be processing employee data on a large-scale, even if you are not strictly required to carry out a DPIA, it is good practice to do so.
- Provide a Covid-19 specific privacy notice to your employees, as a supplement to your general staff privacy notice.
- Supplement your data retention policy to set out when personal information collected must be reviewed, deleted or anonymised.
- If you are collecting employee health data, or checking and testing, document your legitimate interests assessment (LIA). This should address the three tests: the purpose test (identify the legitimate interest); the necessity test (consider if the processing is necessary); and the balancing test (consider the individual’s interests).
- Consider how the information will be stored to ensure it is kept secure, and who will have access to the information.
- Do you have an internal data subject access request policy? If not, it’s a good time to introduce one to ensure DSARs are handled effectively.
- If you are processing health data on a large scale, or to comply with good practice, prepare a data protection impact assessment (DPIA). This can be done as part of your wider return to work risk assessment.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.
Articles and commentary by our legal experts on the impact of Covid-19 are all available here.