Alongside all the other practical challenges of the easing of lockdown restrictions is the question of what additional requests organisations may need to make of their employees to provide a safe working environment. This may include asking employees if they are experiencing any COVID-19 symptoms, requiring them to undergo testing in certain circumstances, and requiring them to provide for details of other employees, clients and suppliers with whom they may have been in contact.
Requests such as these will necessarily involve processing personal data and employees will perfectly reasonably want to be reassured that the protections and requirements of the GDPR and Data Protection Act 2018 are being observed.
It is therefore timely that the ICO has issued a 6 step guide to employers on these issues, as part of a toolkit of advice to businesses dealing with data protection during the Coronavirus lockdown.
In brief, the 6 steps are:
1. Only collect and use what personal data is necessary;
2. Keep it to a minimum;
3. Be clear, open and honest with staff about their data
4. Treat people fairly, to avoid discrimination;
5. Keep people’s information secure; and
6. Staff must be able to exercise their information rights.
While much of this may seem like a statement of the obvious, it is exactly these basic messages that need to be restated and reinforced at a time when a disorganised unlocking of lockdown can result in serious harm to individuals if sensitive health data is treated in a cavalier fashion. The ICO has behaved exactly as we should wish a responsible regulator to behave: no scaremongering, no heavy handed application of rules or guidance, just reassuring common sense advice and policies that should not cause any difficulty to any business.
The ICO is working hard to help you ensure people’s data is handled with care as we all continue our journey back to normality.