ICO issues employee data guidance as businesses reopen
Key steps for businesses reopening after the lockdown, regarding the use of personal information, have been set out by the Information Commissioner's Office.
The ICO has drawn up the guidance about the rules around organisations collecting additional personal information to provide a safe environment for their staff, following enquiries from employers. It sets out how data protection principles apply in this area.
The six key data protection steps are:
- Only collect and use what’s necessary. Employers should consider how collecting extra personal information will help keep their workplace safe, and whether they really need the information, or whether the same result could be achieved without collecting personal information.
- Keep it to a minimum. Organisations should collect only the information needed to implement their measures appropriately and effectively. The ICO has guidance on data minimisation. Some information only needs to be held momentarily, and there is no need to create a permanent record.
- Be clear, open and honest with staff about their data. Some people may be affected by an employer's proposed measures, including in their ability to work. Employers should tell people how and why they wish to use their personal information, including what the implications for them will be; also who they will share the information with and how long they intend to keep it.
- Treat people fairly. A fair approach must be adopted when making decisions based on health information of staff, and one that does not cause any kind of discrimination.
- Keep people’s information secure. Any personal data must be kept securely and only held for as long as is necessary. It is good practice to have a policy on reviewing and deleting information.
- Staff must be able to exercise their information rights. Organisations should inform individuals about their rights in relation to their personal data, such as the right of access or rectification. They should be able to discuss any concerns.
Additional requirements apply if implementing symptom checking or testing.
Information Commissioner Elizabeth Denham commented: “Data protection does not stop you asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law – transparency, fairness and proportionality – are applied.
“The further guidance we have published today will help you comply with these principles, so people’s data is handled with care as we all continue our journey back to normality.”