ICO publishes data protection steps for organisations in response to coronavirus (COVID-19)

ICO publishes data protection steps for organisations in response to coronavirus (COVID-19)

The Information Commissioner’s Office (ICO) has published six data protection steps for organisations setting out the key principles organisations need to consider regarding the use of personal information as lockdown restrictions start to ease and businesses begin to reopen following the coronavirus (COVID-19) pandemic. Information Commissioner, Elizabeth Denham, has confirmed that data protection does not prevent organisations from asking employees whether they are experiencing coronavirus symptoms so long as the principles of the law are applied, including transparency, proportionality and fairness. Additionally, if these principles are applied, data protection will not prevent organisations from introducing appropriate testing. Denham stated: ‘The further guidance we have published today will help you comply with these principles, so people’s data is handled with care as we all continue our journey back to normality.’

The six data protection steps include:

• only collect and use what’s necessary—for an organisation to determine whether it should collect and use people’s health data, it should apply a set of questions to assess whether the approach is necessary, reasonable, fair and proportionate to the circumstances

• keep it to a minimum—when organisations collect personal information, including coronavirus symptoms and test results, information should only be collected that is required to implement measures appropriately and effectively

• be clear, open and honest with staff about their data—staff must be informed of how and why their personal information is being used, including what the implications for them will be

• treat people fairly—ensure that a fair approach is taken to any decisions that are made based on health data that is collected and ensure the approach does not cause any kind of discrimination

• keep people’s information secure—any personal data that an organisation collects must be held securely and only for as long as necessary

• staff must be able to exercise their information rights—organisations should inform individuals of their rights in relation to their personal data. If an organisation has implemented symptom checking or testing, additional requirements must be followed, such as identifying a lawful basis for using the information collected and conducting a data protection impact assessment



Coronavirus recovery – data protection advice for organisations

Coronavirus recovery - six data protection steps for organisations

Related Articles:
Latest Articles: