In its guidance, the ICO highlights specific issues organisations and employers should consider in light of the relaxation of the Government's COVID-19 policy.
The guidance suggests that any emergency practices that were introduced as a result of the pandemic should now be reviewed to determine whether collecting this information is still necessary. An organisation's approach to information collection should also be reasonable, fair and proportionate.
The guidance recommends organisations ask themselves the following questions to form a view on whether their current practices should now be revised:
Employers who retained additional personal information during the pandemic should assess this information again now and securely dispose of it if it is no longer required. The ICO points to some practical methods for destroying documents in its guidance.
There must be a compelling reason to collect data on vaccination. It is necessary to establish what the organisation is trying to achieve, and how collecting this data helps the organisation achieve the identified aim.
Organisations who wish to collect this data must use the data in a way that is fair, relevant and necessary for a specific purpose. The ICO has flagged a number of other factors to consider when thinking about collecting this information, including the employees' contractual terms, health and safety requirements, and equalities and human rights (including privacy rights).
The guidance also confirms that organisations will need to identify a lawful basis for collecting this information. 'Legal obligation' is no longer available as a lawful basis for collecting vaccination information as the legislation relied upon has expired. It is also important to remember that health data is 'special category data' and so attracts extra protection. Employers must therefore think carefully if they still wish to collect this information.
The ICO recommends avoiding naming individuals when informing staff about potential or confirmed COVID-19 cases.
We recommend reading the ICO's guidance in full so that you can ensure that your organisation is doing everything it can to remain compliant with data protection law, in the changing landscape of the pandemic.