Coronavirus (COVID-19):  Data protection – ICO guidance

data protection

The Information Commissioner’s Office (ICO) has published advice (available here) for organisations regarding the use of personal information as businesses begin to reopen; including six data protection steps for organisations (available here).

Overall, the ICO has confirmed that data protection does not prevent organisations from asking employees whether they are experiencing Coronavirus symptoms so long as the principles of the law are applied, including transparency, proportionality and fairness. Additionally, if these principles are applied, data protection will not prevent organisations from introducing appropriate testing. The guidance is intended to help organisations comply with these principles.

The six data protection steps include:

  • only collect and use what’s necessary: for an organisation to determine whether it should collect and use people’s health data, it should apply a set of questions to assess whether the approach is necessary, reasonable, fair and proportionate to the circumstances;
  • keep it to a minimum: when organisations collect personal information, including Coronavirus symptoms and test results, information should only be collected that is required to implement measures appropriately and effectively;
  • be clear, open and honest with staff about their data: staff must be informed of how and why their personal information is being used, including what the implications for them will be;
  • treat people fairly: ensure that a fair approach is taken to any decisions that are made based on health data that is collected and ensure the approach does not cause any kind of discrimination;
  • keep people’s information secure: any personal data that an organisation collects must be held securely and only for as long as necessary; and
  • staff must be able to exercise their information rights: organisations should inform individuals of their rights in relation to their personal data. If an organisation has implemented symptom checking or testing, additional requirements must be followed, such as identifying a lawful basis for using the information collected and conducting a data protection impact assessment.
data protection