As the country gradually moves towards easing lockdown restrictions and businesses begin to open, the Information Commissioner’s Office (ICO) has taken the opportunity to set out what it regards as the main six key steps that organisations need to bear in mind as they come out of lockdown.
In the blog post which the ICO have produced, Information Commissioner Elizabeth Denham said:
“We know from speaking with businesses that you understand there is a responsibility that comes with this recovery phase. We have been answering questions about the rules around organisations collecting additional personal information to provide a safe environment for their staff.
“Data protection does not stop you asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law – transparency, fairness and proportionality – are applied.
“The further guidance we have published today will help you comply with these principles, so people’s data is handled with care as we all continue our journey back to normality.”
The six steps that the ICO have set out are:
- 1. Only collect and use what’s necessary
- In other words:
- Will collecting extra personal information help keep the workplace safe?
- Is the information needed?
- Will a particular test actually help provide a safe environment?
- Could the same result be achieved without collecting personal information?
If it can be shown that the approach being taken is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns. See the ICO further guidance on necessity in its statement about testing.
- 2. Keep it to a minimum
- Organisations should generally collect only the information needed to implement their measures appropriately and effectively. This includes personal information such as a person’s COVID-19 symptoms or any related test results. See the ICO has guidance on data minimisation. In particular do not collect personal data that is not needed and do not create a permanent record unless it is essential that you do so.
- 3. Be clear, open and honest with staff about their data
- Bear in mind that staff may be affected by some of the measures you intend to implement, for example preventing them from working. Be mindful of this and ensure they are told how and why their personal information will be used, including the implications this will have for them. Let staff know with whom you will share their information and for how long it will be kept. This can be achieved through a clear, accessible privacy notice.
- 4. Treat people fairly
- When making decisions about staff that is based on health information collected, make sure the the approach taken is fair. Consider carefully any detriment that staff might experience and that the approach taken does not cause any kind of discrimination.
- 5. Keep people’s information secure
- Keep secure any personal data held and hold it only for as long as is necessary. Have a retention policy in place setting out when and how personal information needs to be reviewed, deleted or anonymised.
- 6. Staff must be able to exercise their information rights
- As with any data collection, The ICO expect that organisations will inform individuals about their rights in relation to their personal data, such as the right of access or rectification. They require that staff are given the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with organisations.
Organisations that have decided to implement symptom checking or testing, need also to follow additional requirements. These include:
- identifying a lawful basis for using the information collected (see Testing article), and
- if the processing of health data on a large scale is involved, conducting a data protection impact assessment (See DPIA Guidance).
Overall, bear in mind that a fair approach to handling people’s data, which is transparent in its purpose and compliant with data protection law, will gain the trust of colleagues and communities in this exceptional time.