Bishop & Sewell

The Information Commissioners Office (ICO) has set out some key considerations organisations need to review around the use of personal information now that Covid-19 measures are relaxing across the UK.

Guidance varies between EnglandNorthern IrelandScotland and Wales, writes Rachel Waller, one of our Data Protection law specialists.

Is it still necessary?

Organisations have had to adapt quickly to respond to the COVID-19 pandemic in order to keep their staff and customers safe. As government measures across the UK relax, these emergency practices should be reviewed to help you decide if the information you have been collecting is still necessary. You should ask yourself a few questions:

  • How will still collecting extra personal information help keep your workplace safe?
  • Do you still need the information previously collected?
  • Could you achieve your desired result without collecting personal information?

You should review your approach and ensure that it is still reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account. View our guidance on necessity for further information.

Retaining information collected during the COVID-19 pandemic

You may have retained additional personal information during the COVID-19 pandemic in line with government guidelines.

You should assess any additional information which you collected and retained during the pandemic and ensure that you securely dispose any information that is no longer required.

The ICO has outlined practical methods for destroying documents on its SME hub. View their guidance on storage limitation for further information.

Should we still collect vaccination information?

If you are continuing to collect vaccination information, you must be clear about what you are trying to achieve and how asking people for their vaccination status helps to achieve this. Your use of this data must be fair, relevant and necessary for a specific purpose. You should check government guidance which has been published for EnglandNorthern IrelandScotland and Wales. If you wish to collect this information, there must be a compelling reason for you to do so.

Data protection is one of a number of factors to consider when thinking about collecting this information. You should also take into account:

  • employment law and your contracts with employees (if you are considering checking employees’ COVID status);
  • health and safety requirements; and
  • equalities and human rights, including privacy rights.

Your reason for checking or recording vaccination status must be necessary and transparent. If you cannot specify a use for this information and are checking it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.

The use of this information must not result in any unfair treatment of employees, customers, or visitors. You should only use it for purposes they would reasonably expect.

Your processing of this information must be fair and if the collection or use of COVID status information is likely to have a negative consequence for someone, you must be able to justify it.

You will need to identify a lawful basis for collecting this information. If you previously relied on legal obligation as your lawful basis and still want to collect this information, you will need to identify another lawful basis if the legislation relied upon has expired. As a person’s vaccination status is health data, which has the protected status of special category data under data protection law it requires extra protection. Therefore you must also identify an Article 9 condition for processing this information (i.e. the conditions set out under Article 9 of the GDPR).

If the use of this data is likely to result in a high risk to individuals (e.g. denial of employment opportunities or services), or you will be processing health data on a large scale, then you need to complete a data protection impact assessment.

Managing positive cases in the workforce

Data protection law doesn’t prevent you from keeping staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals wherever possible, and you should not provide more information than is necessary.

If you feel that your privacy rights have been breached, if someone has alleged that you have breached their rights, or if you are otherwise struggling to comply with your obligations, please contact Rachel Waller (with respect to general breaches) or Michael Kashis (with respect to reviewing commercial contracts to ensure compliance of Data Processor and Data Controller obligations under GDPR).

Contact our Data Protection Team

For data protection matters, please contact our expert Data Protection team on or call them on quoting reference CB312 on 020 7631 4141.

For more general property dispute matters, please contact our expert Litigation and Dispute Resolution team on or call them on quoting reference CB312 on 020 7631 4141.

The above is accurate as at 10 May 2022. The information above may be subject to change during these ever-changing times.

The content of this note should not be considered legal advice and each matter should be considered on a case-by-case basis.

Category: Blog, News | Date: 10th May 2022

David Little

David Little's Blog

Learn more

Mark Chick's Blog<

Mark Chick's Blog

Leasehold information

Learn more

Technical updates

View by