Prompted by the easing of lockdown and the re-opening of businesses, the ICO has helpfully outlined 6 key steps that organisations need to consider when using personal data. The Guidance is very much in keeping with data protection principles under GDPR and the Data Protection Act 2018 but it is a useful summary for employers nonetheless.
- Only collect and use what's necessary
This is line with the "purpose limitation" principle set out at Article 5(1)b of GDPR. The ICO advises that organisations should ask themselves the following questions:
- How will collecting extra personal information help keep your workplace safe?
- Do you really need the information?
- Will the test you're considering actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information?
If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
- Keep it to a minimum
This is in line with the "data minimisation" principle set out at Article 5(1)c of GDPR.
Only collect information that you really need and keep it only as long as is necessary. For example, temperature test results could be discarded immediately.
- Be clear, open and honest with staff about their data
This is in line with the "transparency" principle set out at Article 5(1)a of GDPR.
As with everything employee related, employee relations will be enhanced if you are open and honest with employees in relation to what you are collecting, why and what you are going to do with the data. A clear and accessible privacy notice should be made available.
- Treat people fairly
This reflects the "fairness" principle set out at Article 5(1)a of GDPR.
In keeping with general employment law principles, act fairly and ensure that your approach does not result in any kind of detriment or discrimination.
- Keep your employees' information secure
This reflects the "integrity and confidentiality" principle set out at Article 5(1)f of GDPR. As with everything employment related, keep the data safe and only keep it for as long as you absolutely need to.
- Staff must be able to exercise their information rights
As with any data collection, the ICO expects organisations to inform individuals about their rights in relation to their personal data such as the rights of access or rectification.
More generally, the ICO has highlighted that if you decide to implement symptom checking or testing, there are additional requirements. You need to identify a lawful basis for using the information and if you are processing health data on a large scale remember that you will need to conduct a Data Protection Impact Assessment (DPIA).
This article has been produced for general information purposes and further advice should be sought from a professional advisor. If you have any data protection queries, please contact Director Aisling Byrne.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
