In the light of the relaxation of COVID-19 measures, on 1 April 2022 the Information Commissioner’s Office (ICO) published guidance for employers, which is intended to assist in compliance with data protection obligations going forward.
The ICO recommends the following actions:
- Consider whether the emergency practices introduced to adapt to the COVID-19 pandemic are still necessary, namely:
- Whether the collection of additional information, which may have been collected during the pandemic for workplace safety reasons, is still required.
- Whether the desired result could be achieved without collecting personal information.
- Securely dispose of any additional information collected and retained during the pandemic that is no longer required.
- If vaccination information is being collected, consider the primary purpose for this. The use of such data must be fair, relevant and necessary for a specific purpose. As an individual’s vaccination status is health data; therefore, a legitimate basis for processing under both Articles 6 and 9 must be identified. If employers are processing such data on a large scale, a data protection impact assessment must be completed.
- When informing members of staff about potential or confirmed COVID-19 cases amongst colleagues, avoid naming individuals and do not provide more information than is necessary.
We strongly advise employers to seek legal advice if there is any uncertainty regarding the collection and processing of personal data.