Now that COVID-19 measures are starting to relax across the UK, the Information Commissioner’s Office (ICO) has published some useful guidance on what organisations need to be considering about the data that they process.
In line with the Government’s guidelines, organisations and businesses were required to retain additional information during the pandemic, such as people’s contact details, for tracing purposes. As measures have now started to relax, the ICO is of the view that these emergency practices, should be reviewed and organisations should now be asking themselves if the data that they have been collecting is still necessary.
Organisations should be reviewing their approach to ensure that it is still reasonable, fair, and proportionate in the current circumstances, taking into account the latest Government guidance. It is important to ask questions such as:
- Will continuing to collect the extra personal data help keep your workplace safe?
- Do you still need to hold the data previously collected?
- Could you achieve the same results without collecting personal data?
During the pandemic, many organisations were collecting vaccination data. The ICO has made it clear that if you are continuing to collect vaccination data, you must be clear about what you are trying to achieve and also clear about how asking people for their vaccination status helps you achieve this.
If you are processing vaccination data “just in case” or if you can achieve your goal without collecting this specific data, it is unlikely that you will be able to justify your actions.
To be able to lawfully process vaccination data, you need to identify a lawful basis for collecting the data. Previously, when it was a Government requirement to do so, organisations could rely upon the legal obligation as a lawful basis. If, however, organisations still wish to process vaccination data despite it no longer being a requirement to do so, they must rely upon one of the other lawful bases, which are set out in Article 6 of the UK GDPR (we have outlined these in our previous blog).
Further, as vaccination data is health data, it is therefore classed as special category data in accordance with Article 9 of the UK GDPR. You must identify an Article 9 condition for the processing of the data.
It is important to know that data protection law does not prevent organisations from keeping their staff informed about potential or actual COVID-19 cases amongst colleagues. Wherever possible you should however avoid naming specific individuals.
If you have any doubts about your obligations under UK GDPR, it is important to seek legal advice as soon as possible.
How can we help
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.Contact us