The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

With COVID-19 measures relaxing across the UK, the ICO has set out some key things organisations need to consider around the use of personal information.

You should check government guidance for where you live. Guidance varies between England, Northern Ireland, Scotland and Wales

Is it still necessary?

Organisations have had to adapt quickly to respond to the COVID-19 pandemic in order to keep their staff and customers safe. As government measures across the UK relax, these emergency practices should be reviewed to help you decide if the information you have been collecting is still necessary. You should ask yourself a few questions:

  • How will still collecting extra personal information help keep your workplace safe?
  • Do you still need the information previously collected?
  • Could you achieve your desired result without collecting personal information?

You should review your approach and ensure that it is still reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account. View our guidance on necessity for further information.

Retaining information collected during the COVID-19 pandemic

You may have retained additional personal information during the COVID-19 pandemic in line with government guidelines.

You should assess any additional information which you collected and retained during the pandemic and ensure that you securely dispose any information that is no longer required. We have outlined practical methods for destroying documents on our SME hub. View our guidance on storage limitation for further information.

Can we still collect vaccination information?

If you are continuing to collect vaccination information, you must be clear about what you are trying to achieve and how asking people for their vaccination status helps to achieve this. Your use of this data must be fair, relevant and necessary for a specific purpose. You should check government guidance which has been published for England, Northern Ireland, Scotland and Wales. If you wish to collect this information, there must be a compelling reason for you to do so.

Data protection is one of a number of factors to consider when thinking about collecting this information. You should also take into account:

  • employment law and your contracts with employees (if you are considering checking employees’ COVID status);
  • health and safety requirements; and
  • equalities and human rights, including privacy rights.

Your reason for checking or recording vaccination status must be necessary and transparent. If you cannot specify a use for this information and are checking it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.

The use of this information must not result in any unfair treatment of employees, customers, or visitors. You should only use it for purposes they would reasonably expect. Your processing of this information must be fair and if the collection or use of COVID status information is likely to have a negative consequence for someone, you must be able to justify it.

You will need to identify a lawful basis for collecting this information. If you previously relied on legal obligation as your lawful basis and still want to collect this information, you will need to identify another lawful basis if the legislation relied upon has expired. As a person’s vaccination status is health data, which has the protected status of ‘special category data’ under data protection law it requires extra protection. Therefore you must also identify an Article 9 condition for processing this information.

If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities or services), or you will be processing health data on a large scale, then you need to complete a data protection impact assessment.

Managing positive cases in the workforce

Data protection law doesn’t prevent you from keeping staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals wherever possible and you should not provide more information than is necessary.