ICO issues new Covid-19 guidance
The ICO has issued new guidance to assist businesses reopening after Covid related lockdown. The guidance emphasises the ICO’s proportionate approach to enforcing the General Data Protection Regulation ('GDPR') during the pandemic, which has been well received by businesses.
The ICO has provided further details on how organisations may collect data lawfully and proportionately when implementing testing or other screening measures for COVID-19 in the workplace, as well as setting out their six point guidance for organisations to consider around the use of personal information.
Information Commissioner Elizabeth Denham said:
“Data protection does not stop you asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law - transparency, fairness and proportionality - are applied.
“The further guidance we have published today will help you comply with these principles, so people’s data is handled with care as we all continue our journey back to normality.”
The six key data protection steps are:
● Only collect and use what’s necessary
● Keep it to a minimum
● Be clear, open and honest with staff about their data
● Treat people fairly
● Keep people’s information secure
● Staff must be able to exercise their information rights
COVID-19 contact tracing scheme guidance
This guidance is aimed at organisations and small businesses that are asked by the government to collect and retain customer and visitor information, for a limited time period, for the purposes of a COVID-19 contact tracing scheme. The guidance covers questions including:
● Are we allowed under data protection law to collect personal data from our customers as part of a contact tracing scheme?
● What do we need to tell people when we collect their data for the contact tracing scheme?
● How do I make sure my collection and sharing of data is lawful?
● Should I use consent as my lawful basis?
● How much personal data should we collect for a contact tracing scheme?
● How long can we keep personal data collected in accordance with government guidance?
● How do we make sure that the personal data we collect is accurate?
● What data protection rights do people have in relation to the data we collect about them for a contact tracing scheme?
● What do we need to do about security?
● Who can we share the customer data we collect with?
● Can we use the personal data we have collected for a contact tracing scheme for marketing or other business purposes?
Testing and screening for COVID-19
The ICO has set out guidance in relation to businesses who might wish to test and screen their employers for Covid-19. It indicates that the collection of personal data must be necessary and proportionate in relation to the controller’s stated purpose and the relevant lawful basis.
Keep in mind that, due to its sensitivity, health data has the protected status of ‘special category data’ under data protection law.
The guidance addresses subjects such as to whether testing and screening is necessary and sets out factors to include in decision making process, including considering the specific circumstances of your organisation / workplace:
● the type of work you do;
● the type of premises you have; and
● whether working from home is possible
● any specific regulations or health and safety requirements that apply to your organisation or professional staff and any duty of care that you owe to them.
Other questions the guidance addresses includes:
● How can I show that our approach to testing is compliant with data protection law?
● How do I decide if symptom checking, testing and the processing of health data of employees is necessary?
● How do I decide what type of tests are necessary?
● Which lawful basis can I use for testing employees?
● What do I need to tell my staff?
● Can I make it mandatory that my staff are checked for COVID-19 symptoms or tested?
● How often should I check for symptoms or test employees?
● My organisation provides or has commissioned a testing service for its employees. What information do I have to provide to employees about results?
● Some staff already have the results of tests that they have arranged for themselves. If they disclose these results to me, what are the data protection considerations?
● Can I keep lists of employees who either have symptoms or have been tested as positive?
● How do I ensure I don’t collect too much data?
● Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?
● How do I ensure that staff are able to exercise their information rights as part of this process?
The guidance addresses whether onsite surveillance is ever appropriate, particularly the use of temperature checks and thermal cameras. The general conclusion was they may be appropriate in some circumstances but the ICO did not encourage them, favouring organisations considering less intrusive means. Any such measures introduced should be done so having taken appropriate legal advice.
The guidance also addresses the use of CCTV footage for monitoring contact where an employee turns out to have been subsequently diagnosed with Covid-19. Again, the ICO emphasised that “employees have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment” and recommended legal advice be sought.
Employers should also note that the Medicines and Healthcare products Regulatory Agency does not recommend using products such as thermal cameras or temperature checks for medical purposes particularly if they have not been designed for human use.
Posted on 9 July, 2020 by Ortolan