Over the course of the COVID-19 pandemic data protection issues and privacy considerations have been in the spotlight, particularly in relation to the use of contact-tracing apps (see our articles here and here). As has been the case throughout the pandemic, businesses have had to adapt quickly to changing circumstances and this has required constant review of their practices and procedures, in line with government guidance.

Following the relaxation of COVID-19 rules on 1 April 2022 in England* (end of free testing, no requirement for COVID-status/vaccine certificates), new guidance has been published by the ICO to help organisations and employers with the process of reviewing their collection and use of individuals’ personal information.

Some of the key recommendations from the guidance aimed at employers include:

  • Reviewing practices put in place during the pandemic and ascertaining whether collection of personal data is still necessary. It must still be reasonable, fair and proportionate to the current circumstances, taking into account the latest government guidance.
  • Assessing any additional personal data that was collected and stored during the pandemic and ensuring its secure disposal (if it is no longer needed).
  • Ensuring that management of positive cases in workplaces is compliant. 
  • Consulting government guidance on collecting vaccination information, if necessary and undertaking a review of why this information is being collected.  The new guidance highlights several data protection compliance issues such as identifying a lawful basis other than "legal obligation" when collecting vaccination information if relevant legislation has expired. As vaccination status is categorised as health data, then both an Article 6 and an Article 9 condition for processing is required and in some cases (where there is a potential high-risk to the rights and freedoms of individuals) a data protection impact assessment ('DPIA') may be necessary. As well as data protection, other factors to consider include employment law and contracts with employees, health and safety requirements and equalities and human rights (including privacy rights).

Most employers are currently in the process of reviewing their COVID protection measures with a view to ensuring safe work spaces for employees (and customers) and managing the return to site/the office. An important feature of this review will be to take into account any data implications, both in terms of future data collection and historic data held.

*Guidance may vary between England, Scotland, Wales and Northern Ireland so please consult government guidance.