The UK Information Commissioner’s Office (“ICO”) has released guidance to assist employers in implementing appropriate safeguards as workplaces reopen, titled “Coronavirus Recovery – Six Data Protection Steps for Organisations” (the “guidance”). This guidance sets out the key principles of data protection that should be kept in mind as employers put measures in place to prevent the spread of COVID-19.
The ICO states, “Data protection does not stop you asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law—transparency, fairness and proportionality—are applied.”
Specifically, the ICO emphasizes that:
- While gathering additional data relating to the pandemic may be acceptable, employers should only collect what is reasonably necessary to ensure a safe workplace. If the same result could be achieved without collecting personal information, further collection should be avoided.
- Data collection should be kept to a minimum and permanent records should not be created unless necessary.
- Employers should be transparent with staff as to how the data is going to be used. For example, the collection of data related to symptoms could result in employees being refused entry to the workplace, and this should be clear to employees when their data is obtained. Employees should also be informed regarding who the data is shared with and how long it will be retained. Organizations should consider putting a pandemic-specific privacy notice in place for the purposes of this kind of collection.
- Employees must be treated fairly and employers must ensure that their approach to using the data is not discriminatory.
- Data must be kept secure and deleted or anonymized when no longer needed.
- Employees should be made aware of their data protection rights in relation to the data collected, and should be able to exercise these rights and discuss concerns with their employers.
Where symptom checking or testing is implemented in the workplace, the guidance also highlights that employers should identify their legal basis for processing, as required under Article 6 of the EU General Data Protection Regulation, and conduct a data protection impact assessment if warranted by the volume of health data collected.
Read the ICO’s guidance.