6 steps to data protection compliance - returning to the new ‘normal’

After 12 weeks of coronavirus ‘lock-down’ restrictions, many employees are now returning to their place of work as restrictions are further eased with ‘non-essential’ shops now opening.

In response to this, the ICO has issued a list of 6 key steps that organisations need to consider around use of personal information (see ICO Coronavirus Recovery). We have extracted the key parts of the guidance and added additional points to consider:

·       Only collect and use what’s necessary.

This may seem obvious, however the following basic steps should help you to identify whether the approach is fair, reasonable and proportionate and therefore more likely to be compliant with data protection law:

  • How will collecting extra personal information help keep your workplace safe?  
  • Do you really need the information?
  • Will the test you’re considering actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information?  

·         Keep it to a minimum.

This really echoes the point above - don’t collect personal data unless strictly necessary to do so and remove / delete it when it is no longer required. It is important to have clear policies around collection, use and retention of personal data to ensure this principle is complied with in your organisation.   

·         Be clear, open and honest with staff about their data.

Ensure employee privacy notices are up to date setting out how and why employee personal information, will be used and the implications for them (e.g. who you will share their information with and for how long you intend to keep it).

·         Treat people fairly.

If you intend to make decisions about your staff based on the health information you collect, you must make sure  that the approach you adopt is fair and considered. When identifying the types of decisions you will make using the information collected, it will be important to think carefully about any detriment your staff might suffer as a result of your policy, and tailor this approach in order to minimise the risk of potential discrimination claims.

·       Keep people’s information secure.

Ensure that company processes for secure handling and storage of personal data are observed and make sure the policies are documented and that staff are trained (this should include a retention policy setting out how long information should be retained for and the process for secure deletion / removal from systems).

·       Staff must be able to exercise their information rights.

Make sure you inform individuals about their rights in relation to their personal data – again, this reinforces the point that written policies and procedures should be in place, regularly updated to take account of any changes and to ensure that staff are able to quickly and easily access the applicable policy / procedure. Ensure regular awareness campaigns are scheduled to keep staff updated – email followed up with a video / audio conference call can be powerful tools to ensure staff are aware and can ask questions.

If you are considering implementation of symptom checking / testing, the ICO has produced specific guidance, containing ‘frequently asked questions’ that will be of use (see: ICO Testing Guidance).

For more information on the article above contact Tom Phipps and Emily Bowden.

Send us a message