The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

As lockdown restrictions start to ease and businesses begin to reopen, the ICO has set out the key steps organisations need to consider around the use of personal information.

Information Commissioner Elizabeth Denham said:

“We know from speaking with businesses that you understand there is a responsibility that comes with this recovery phase. We have been answering questions about the rules around organisations collecting additional personal information to provide a safe environment for their staff.

“Data protection does not stop you asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law - transparency, fairness and proportionality - are applied.

“The further guidance we have published today will help you comply with these principles, so people’s data is handled with care as we all continue our journey back to normality.”

The six key data protection steps are:

Only collect and use what’s necessary

To help you decide if collecting and using people’s health data is necessary to keep your staff safe, you should ask yourself a few questions:

  • How will collecting extra personal information help keep your workplace safe?  
  • Do you really need the information?
  • Will the test you’re considering actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information?  

If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns. View our further guidance on necessity.

Keep it to a minimum

When collecting personal information, including people’s COVID-19 symptoms or any related test results, organisations should collect only the information needed to implement their measures appropriately and effectively. The ICO has guidance on data minimisation to help you make this decision.

Don’t collect personal data that you don’t need. Some information only needs to be held momentarily, and there is no need to create a permanent record.

Be clear, open and honest with staff about their data

Some people may be affected by some of the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy notice.

Treat people fairly

If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair. Think carefully about any detriment they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination.

Keep people’s information secure

Any personal data you hold must be kept securely and only held for as long as is necessary. It’s also good practice to have a retention policy in place that sets out when and how personal information needs to be reviewed, deleted or anonymised.

Staff must be able to exercise their information rights

As with any data collection, we would expect organisations to inform individuals about their rights in relation to their personal data, such as the right of access or rectification. Staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with organisations.

If you have decided to implement symptom checking or testing, there are additional requirements you need to follow. These include identifying a lawful basis for using the information you collect and, if you’re processing health data on a large scale, conducting a data protection impact assessment. These steps are covered in our guidance and will ensure you are complying with data protection law.

A fair approach to handling people’s data, which is transparent in its purpose and compliant with data protection law, will gain the trust of colleagues and communities in this exceptional time.

The ICO will continue to help organisations and businesses through the current recovery phase by supporting innovation and economic growth, while ensuring that people’s information rights are not set aside.