Business are now beginning to reopen with lockdown easing and it is worth looking at the ICO steps for organisations when considering the use of personal information. We have summarised below some key points for you.
1. Collecting necessary data
This reflects the data protection principle of “purpose limitation”.
To help you decide if collecting and using employees’ health data is necessary to keep your staff safe, you should ask yourself the following questions:
· How will collecting extra personal information help keep your workplace safe?
· Do you really need the information?
· Will the test you’re considering actually help you provide a safe environment?
· Could you achieve the same result without collecting personal information?
If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
2. Keep it to a minimum
This reflects the data protection principle of “data minimisation”.
When collecting personal information, including Covid-19 symptoms, organisations should collect only the information needed to implement their measures appropriately.
In some cases, some information only needs to be held for a short period, and there is no need to create a permanent record.
3. Be transparent with staff about their data
Employees have a right to know how their information will be handled.
Some employees may be affected by some of the measures you intend to implement. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy notice.
If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair and reasonable. Think carefully about any detriment they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination.
5. Keep data secure
This reflects the data protection principles of “integrity and confidentiality” and “storage limitation”.
Any personal data you hold must be kept securely and only held for as long as is necessary.
6. Know their rights
As with any data collection, organisations must inform individuals about their rights in relation to their personal data, such as the right of access or rectification. Employees must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with organisations.
Legal basis for processing
As well as following these principles, if you decide to implement symptom checking or testing, you must identify a lawful basis for using the information you collect.
The most appropriate legal basis, therefore, will be that the collection of health data is in the “legitimate interests” of the employer, such interests not being overridden by the interests of the employees.
In addition, as health data is one of the “special categories” of personal data, an additional lawful basis is required. Again, we recommend that employers avoid reliance on “explicit consent”, and instead rely on the necessity to process the information to comply with the employer’s health and safety at work obligations.
Finally, if you are processing health data on a “large-scale”, you will also need to conduct a “data protection impact assessment” (DPIA). GDPR does not define what constitutes large-scale. In essence, this will be determined mainly by the number of employees involved. While a small business is unlikely to be processing employee data on a large-scale, even if you are not strictly required to carry out a DPIA, it is good practice to do so.
It would show compliancy if you prepare and provide a Covid-19 specific privacy notice to your employees, as a supplement to your general staff privacy notice. If you are collecting employee health data, or checking and testing, document your legitimate interests assessment (LIA). This should address the three tests: the purpose test (identify the legitimate interest); the necessity test (consider if the processing is necessary); and the balancing test (consider the individual’s interests). Also Consider how the information will be stored to ensure it is kept secure, and who will have access to the information.
If you have any issues with cyber security and data protection or any other aspects intellectual property you want to discuss, we at Briffa advises on all aspects of intellectual property law and practice and offers free 30-minute consultations to all new clients. If you would like to book a call or a meeting with one of our specialist IP lawyers, please contact firstname.lastname@example.org or 020 7288 6003.
Written by Hasnath Ahmed, Solicitor