Coronavirus recovery: Data protection

by | Jun 27, 2020 | Blog

As Coronavirus lockdown restrictions start to ease and businesses begin to reopen, the ICO has set out the key steps organisations need to consider around the use of personal information.  We think this is a great guide so wanted to share a summary with you.  Take a look at the link below for the full guidance.

  1. Only collect and use what’s necessary

The following questions may help you decide if collecting and using people’s health data is necessary:

How will collecting extra personal information help keep your workplace safe?

Could you achieve the result/outcome you need without collecting personal information?

The ICO states if you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.


  1. Keep it to a minimum


The overarching rule is quite simple – don’t collect personal data that you don’t need.  Then if you do collect it, consider how long you need to hold this for as some information only needs to be held momentarily, with no need to create a permanent record.


  1. Be clear, open and honest with staff about their data


Make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy notice.


  1. Treat people fairly


If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair. Think carefully about any detriment they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination.


  1. Keep people’s information secure


Any personal data you hold must be kept securely and only held for as long as is necessary. It’s also good practice to have a retention plan in place that sets out when and how personal information needs to be reviewed, deleted or anonymised.


  1. Staff must be able to exercise their information rights


As with any data collection, organisations should inform staff about their rights in relation to their personal data, such as the right of access or rectification.


Finally, if you have decided to implement Coronavirus symptom checking or testing, there are additional requirements you need to follow. These include identifying a lawful basis for using the information you collect and, if you’re processing health data on a large scale, conducting a data protection impact assessment.