Data protection and COVID-19 updated guidance

Posted on May 19th, 2022

Following the relaxation of government measures, the Information Commissioner’s Office (ICO) has set out guidance for organisations to consider relating to the use of personal information.

The ICO advises organisations to review their practices, in order to decide whether the information they have been collecting is still necessary. The questions the ICO recommends asking are:

  • How will continuing to collect extra personal information help keep your workplace safe?
  • Do you still need the information previously collected?
  • Could you achieve your desired result without collecting personal information?

Retained information

The ICO advises assessing any additional information collected and retained during the pandemic. Any information that is no longer required should be securely disposed of.

Vaccination information

With regard to the collecting of vaccination information, the ICO states that organisations must be clear about what they are trying to achieve and how asking people for their vaccination status helps to achieve this. There must be a compelling reason to collect this information.

In addition to considering data protection, organisations also need to take into account:

  • Employment law and employee contracts.
  • Health and safety requirements.
  • Equalities and human rights, including privacy rights.

The reasons for checking or recording vaccination status must be necessary and transparent; it should not be on a ‘just in case’ basis.

Legal basis

During the pandemic, the legal basis for collecting this information would have been ‘legal obligation’. However, with the relaxation of restrictions, organisations will now need to identify another lawful basis if the legislation relied upon has expired. Given a person’s vaccination status is health data, this has the protected status of ‘special category data’. This means that, under data protection law, it requires extra protection and, therefore, an Article 9 condition for processing must be identified.

Managing positive cases in the workforce

The ICO guidance states that employers can continue to keep staff informed about potential or confirmed cases of COVID-19 within the workplace. However, the advice is to avoid naming individuals where possible and not to provide more information than is necessary.

The full guidance can be found at Data protection and Coronavirus-19 – relaxation of government measures.

Need support with your HR?

Our support means you can focus on education, while we take care of your organisation’s HR needs.

CEFM offers consultancy to support schools with all aspects of management. Get in touch for a free consultation about how we can help you.

The GDPR section of our CEFMi website contains model policies, guidance and frequently asked questions. Get a free trial of CEFMi – a comprehensive resource for school managers containing over 7,000 pages of text. No other website offers such a complete service specifically written for schools.