Managing personal data collected and used during the pandemic: Stay compliant

To keep employees and customers safe during the COVID-19 pandemic, many organisations adopted emergency practices in respect of collecting and processing personal data relating to the pandemic. David Edwards and Charles Mather from Harrison Drury’s regulatory team outline new guidance to ensure that businesses remain compliant.

In line with the recent relaxation of the government’s COVID-19 safety measures, the Information Commissioner’s Office (ICO) has published new guidance relating to personal data collected and processed by organisations in consequence of the pandemic.

The guidance falls broadly into the following four categories which are outlined below.

1. Emergency practices put in place during the pandemic

Organisations should review any practices that were put into place during the pandemic to ensure that the related collection and processing of personal data remains reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account.

2. Retention of personal data collected during the pandemic

The storage limitation principle of United Kingdom General Data Protection Regulation (UK GDPR) requires that personal data must not be processed or maintained for longer that is necessary to fulfil the objective for which it was collected.

Organisations may only use personal data for a new purpose if it is compatible with the original purpose, or if consent is given, or the organisation has a clear obligation or function set out in law to do so.

Where an organisation has determined that personal data collected for the purposes of the pandemic is no longer required, that personal data should be disposed of and destroyed in a confidential and secure manner.

3. Vaccination status

To collect and process special category personal data in accordance with UK GDPR, organisations must identify both a lawful basis under Article 6 and a separate condition for processing under Article 9. If they cannot do so, then collection and processing is unlawful.

Organisations that continue to collect special category health data, in the form of vaccination status, must be clear about what it is they are trying to achieve and how collecting the employees’ vaccination status contributes to that objective.

If organisations can achieve a stated objective without collecting this data, they are unlikely to be able to justify its collection.

4. Information about positive COVID-19 cases among employees

Any organisation that decides to inform employees about possible or confirmed COVID-19 cases among colleagues in order to manage its workforce, should, where possible, avoid naming individuals, and should not provide colleagues with more information than is necessary.

The ICO has the power to penalise organisations that do not adhere to the GDPR and fines can be substantial. If you require guidance regarding the management of your organisation’s personal data or need help with any other data protection matter, please contact Harrison Drury’s regulatory team on 01772 258321.