COVID-19 Pandemic

Since 31 December 2019 world has fought relentlessly with COVID-19 disease which is caused  by the coronavirus. Once the disease turned into a pandemic, which was first seen as an outbreak  from Wuhan, the People's Republic of China then spread expressly throughout the globe. Since  then; every country has worked tirelessly to prevent the pandemic from accelerating any  further.

With the vaccination, the process occurs to prevent losses of millions of lives, the statistics of  how many people had already been vaccinated or survived after the disease gained importance  in the eyes of many countries as well as employers around the world who try to prevent the  transmission of the virus in the workspaces.

Usage of COVID-19 Data

Regarding employers; creating statistics and using the data of vaccination and tests become  crucial. As many countries' information offices dealt with how to manage these data. The need has arisen from storing process to actively using this data to ban certain people from getting  into the premises of the workplace. ICO was also made certain explanations regarding how  should employers collect, store and use these data and how the process should be handled  aligning with UK GDPR. ICO enlighten these process by identifying the data as; COVID-19  symptoms, vaccination and tests info.

According to ICO; certain questions must be asked to an employer to identify the legal  reasoning of processing such data. In this context; the employer need to consider,

  • how the collection of extra personal info might help to keep the workplace safe,
  • is it a necessity to collect such info,
  • the test that's been considered would guarantee a safe environment and most of all
  • can the result be achieved without the collection of such info?

The employer should keep in mind these questions and be able to answer them to obtain such  data. If the employer can address these issues with the approach of reasonable, fair and  proportionate to the circumstances then the data processing would not be groundless and  align with UK GDPR.

Reasonable, Fair, Proportionate Process of Sensitive Data

ICO also advise that; if these data would be collected then an employer should collect only the  information needed to implement their measures appropriately and effectively. To achieve data  minimisation; the data that is processed should be adequate; which sufficient to properly fulfil  the stated purpose, relevant; which contain a rational link to the purpose and limited; which is  necessary so employers would not hold more data than the need of the purpose.

When an employer would like to carry out workplace tests; to check whether the staff have  symptoms of COVID-19 or the virus itself then according to ICO; the employer still needs to  comply with UK GDPR and the Data Protection Act 2018 since this type of data is related to  health and sensitive itself as classified special category data. As a result; this data must be  handled lawfully, fairly, transparently and because the classification category requires  additional safeguards employer must form these safeguards. If the employer can not specify the  use of this data but record it on a 'just in case' basis or can achieve the result without collecting  this data then the justification of this collection would not be performed.

If the employer would like to collect these data based on 'just in case' then the employer should  be conducting only a visual check of COVID Passes (either a hard-copy document or a pass  held on a digital device) and do not retain any personal data from it. If this conducting process  is performed by checking the documents digitally such as by scanning the QR code displayed  on the pass then this type of checking would constitute processing of personal data even the  employer did not keep a record of it. Therefore the UK GDPR would be applied. If the employer  would make a record of this data whether occurred by conduct visual or digital checks, then the  employer would be processing personal data. Therefore the UK GDPR would be applied in this  case too.

Processing under Public Health or Employment Condition

If the employer would like to process such data collected from employees or customers then  either this data processed under the condition of employment or public health. The employment  condition determined in Article 9(2)(b) along with Schedule 1, Part 1(1) of the DPA 2018. The  public health condition determined in Article 9(2)(i) and Schedule 1, Part 1(3) of the DPA 2018.

If the employer intends to rely on the public health condition then must ensure that; either a  health professional carries out the processing or tell people that treating their COVID status as  confidential and would only disclose it in clearly defined circumstances. In such cases; getting  the consent of the employee is rarely appropriate because the employment setting concludes the  imbalance of power between the employer and employee. Similarly, in the cases that the  employer would be getting consent from the customer is unlikely to be appropriate since  checking a COVID pass is a condition of entry to the premises or workplace. As such; the  situation is considered as unlikely for the consent to be 'freely given' in these circumstances. If  the employer identifies either the employment or the public health condition as a condition for  processing special category data and meet the Schedule 1 obligations then do not need the  employee's separate consent to receive test results.

Data Minimisation

While requesting such data; the employer should ask for the minimum amount of data necessary  for the purpose. Such as; if an individual has a clinically approved exemption status then the  employer should not be routinely requesting further information regarding the clinical reason  behind the exemption. The employer should also take into account that accepting the offer of a  vaccine is a personal decision, which could be influenced by several factors. If the employees  work somewhere where they are more likely to encounter those infected with COVID-19 or  could pose a risk to clinically vulnerable individuals then these factors could form part of the  justification for collecting employee vaccination status. However, if the employer only keeps  on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this  information. Another aspect of the usage of this data is that not lead to any results as such an  unfair or unjustified treatment to employees or other cases customers or visitors. The type of  collection process also should be handled delicately.

According to ICO; 'just in case' basis If you are only conducting a visual check of COVID  Passes (either a hard-copy document or a pass held on a digital device) and do not retain any  personal data from it, this would not constitute 'processing'. The activity would therefore fall  outside of the UK GDPR's scope. Regarding taking a temperature on the other hand since  constitutes using a digital thermometer involves the processing of personal data even if the  employer would not record any information. Employers should be alerted that this data is health  data which falls under the special category data.

Since COVID-19 is a notifiable disease, employers must inform public health authorities when  there are two or more cases confirmed as it constitutes an outbreak. Employers should keep  staff informed about potential or confirmed COVID-19 cases amongst their colleagues but  should avoid naming individuals.


In the UK; the employer should handle the data concerning COVID-19 with care. Those data  aforementioned are specified as health data so categorized as sensitive data. Data minimisation,  data processing conditions of employment and public health also consent issues should be  addressed before processing such data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.