• Contact Us

ICO Publishes Guidance for Organisations Relating to Data Protection and COVID-19

on Thursday, 14 April 2022.

The ICO has published new guidance for organisations in light of the recent relaxation of the government's COVID-19 rules.

In its guidance, the ICO highlights specific issues organisations and employers should consider in light of the relaxation of the Government's COVID-19 policy.   

Collecting and Retaining Information

The guidance suggests that any emergency practices that were introduced as a result of the pandemic should now be reviewed to determine whether collecting this information is still necessary. An organisation's approach to information collection should also be reasonable, fair and proportionate.

The guidance recommends organisations ask themselves the following questions to form a view on whether their current practices should now be revised:

  • How will continuing to collect this extra personal information help keep the workplace safe?
  • Do you still need the information previously collected?
  • Could you achieve your desired result without collecting personal information?

Employers who retained additional personal information during the pandemic should assess this information again now and securely dispose of it if it is no longer required. The ICO points to some practical methods for destroying documents in its guidance.

Vaccination Information and Managing Positive Cases

There must be a compelling reason to collect data on vaccination.  It is necessary to establish what the organisation is trying to achieve, and how collecting this data helps the organisation achieve the identified aim.   

Organisations who wish to collect this data must use the data in a way that is fair, relevant and necessary for a specific purpose.  The ICO has flagged a number of other factors to consider when thinking about collecting this information, including the employees' contractual terms, health and safety requirements, and equalities and human rights (including privacy rights).

The guidance also confirms that organisations will need to identify a lawful basis for collecting this information.  'Legal obligation' is no longer available as a lawful basis for collecting vaccination information as the legislation relied upon has expired.  It is also important to remember that health data is 'special category data' and so attracts extra protection. Employers must therefore think carefully if they still wish to collect this information.

The ICO recommends avoiding naming individuals when informing staff about potential or confirmed COVID-19 cases.

Stay Up to Date

We recommend reading the ICO's guidance in full so that you can ensure that your organisation is doing everything it can to remain compliant with data protection law, in the changing landscape of the pandemic.


For more information on Data Protection and COVID-19, please contact Ellen Netto in our Employment team on 0117 314 5377, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input