Your privacy is important to us.
Prompted by the easing of lockdown and the re-opening of businesses, the ICO has helpfully outlined 6 key steps that organisations need to consider when using personal data. The Guidance is very much in keeping with data protection principles under GDPR and the Data Protection Act 2018 but it is a useful summary for employers nonetheless.
This is line with the “purpose limitation” principle set out at Article 5(1)b of GDPR. The ICO advises that organisations should ask themselves the following questions:
If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
This is in line with the “data minimisation” principle set out at Article 5(1)c of GDPR.
Only collect information that you really need and keep it only as long as is necessary. For example, temperature test results could be discarded immediately.
This is in line with the “transparency” principle set out at Article 5(1)a of GDPR.
As with everything employee related, employee relations will be enhanced if you are open and honest with employees in relation to what you are collecting, why and what you are going to do with the data. A clear and accessible privacy notice should be made available.
This reflects the “fairness” principle set out at Article 5(1)a of GDPR.
In keeping with general employment law principles, act fairly and ensure that your approach does not result in any kind of detriment or discrimination.
This reflects the “integrity and confidentiality” principle set out at Article 5(1)f of GDPR. As with everything employment related, keep the data safe and only keep it for as long as you absolutely need to.
As with any data collection, the ICO expects organisations to inform individuals about their rights in relation to their personal data such as the rights of access or rectification.
More generally, the ICO has highlighted that if you decide to implement symptom checking or testing, there are additional requirements. You need to identify a lawful basis for using the information and if you are processing health data on a large scale remember that you will need to conduct a Data Protection Impact Assessment (DPIA).
This article has been produced for general information purposes and further advice should be sought from a professional advisor. If you have any data protection queries, please contact Director Aisling Byrne.