Data protection and personal data post-COVID-19

Following the relaxation of COVID-19 restrictions, the Information Commissioner (ICO) has updated employers of their data protection obligations as regards the use of personal information.

The ICO guidance recommends, among other things, that employers:

  • consider the emergency practices that they put in place during the pandemic and decide whether the data they collect is still necessary. Is it still reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account?
  • assess any additional information which was collected and kept during the pandemic and if it is no longer required, it should be confidentiality destroyed
  • if they are still collecting vaccination information, be clear about what they are trying to achieve and how asking people for their vaccination status helps to achieve this objective. Use of such data must be fair, relevant and necessary for a specific purpose and there must be a compelling reason to collect it. The ICO also reminded employers that their reason for checking or recording vaccination status must be necessary and transparent. If employers cannot specify a use for this information and are checking it on a ‘just in case’ basis, or if they can achieve their goal without collecting this data, they are unlikely to be able to justify collecting it