In light of lockdown restrictions continuing to be lifted and organisations planning to reopen, the UK Information Commissioner's Office ("ICO") has outlined six steps businesses in the UK will need to consider when using personal data, and especially health personal data, as a part of their COVID-19 recovery plans.

The six steps do not represent new regulations but they are considerations that businesses need to keep in mind in order to demonstrate compliance with their data protection obligations under the General Data Protection Regulation and the Data Protection Act 2018.

The six steps are:

1. Only collect and use what's necessary

Businesses should only collect and use people's health data which is necessary to keep their staff safe.

The ICO recommends that before businesses collect additional data, they should consider how collecting extra personal information will help keep the workplace safe and if they really need the information, or if it is possible to achieve the same result without collecting additional personal data.

If businesses decide to introduce symptom checking or testing of their staff and / or visitors, there are additional requirements that businesses need to follow. These include identifying a lawful basis for collecting and using the information collected and, if they are processing health data on a large scale, conducting a data protection impact assessment. The ICO has published a list of frequently asked questions in relation to employee testing which can be a helpful resource and we are running a global series Back to Business – Employment & Benefits Global Broadcast Series which covers key legal concerns that employers now need to consider in different jurisdictions, such as workplace health and safety, testing and privacy.

2. Keep it to a minimum

When collecting information, including about people's COVID-19 symptoms or any related test results, businesses should only collect the minimum personal information needed to implement their measures appropriately and effectively (data minimisation).

Businesses should not collect personal data that they don't need and should consider carefully for how long the additional personal data collected needs to be held for.

3. Be clear, open and honest with staff about their data

Businesses should be open with their staff about how the information collected about the staff will be used and why the business wishes to collect the additional personal information, including what the implications for the staff might be of providing the additional personal information (e.g. that they might not be able to work from the office for some time if they have COVID-19 symptoms).

Business should also let employees know who they will share this information with (e.g. insurers, the landlord and other tenants of shared office spaces, regulators) and for how long they intend to keep it. Business can do this by amending their existing privacy notice or creating a new privacy notice specifically for COVID-19.

4. Treat people fairly

If businesses are making decisions about staff based on the health information collected, they must make sure that their approach is fair. In particular, the ICO cautions against any detriment employees might suffer as a result of the data collection policy (e.g. discrimination against vulnerable individuals, carers or employees who have multiple jobs).

5. Keep people's information secure

The ICO reminds businesses that any personal data they hold must be kept securely, only held for as long as is necessary and deleted or (if applicable) anonymised in accordance with their data retention policy.

6. Staff must be able to exercise their information rights

The ICO expects businesses to inform individuals about their rights in relation to their personal data, such as the right of access or rectification. The ICO reminds businesses that staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have.

Originally published by Mayer Brown, on June 2020

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.