Coronavirus: Six data protection steps on the use of personal information

News article

ICO publishes data protection steps for businesses as COVID-19 measures ease

As lockdown restrictions start to ease and organisations plan to reopen, the Information Commissioner's Office (ICO) has set out six steps businesses will need to consider when using personal data as a part of their COVID-19 recovery plans.

These steps address questions about the rules around organisations collecting additional personal information - particularly data relating to health - to provide a safe environment for their staff.

The six key data protection steps they suggest are:

  • only collect and use what's necessary
  • keep it to a minimum - collect only the information needed to implement your measures appropriately and effectively
  • be clear, open and honest with staff about their data
  • treat people fairly
  • keep people's information secure
  • make sure staff can exercise their information rights

Find further details on the six key data protection steps.

As the ICO explains, data protection does not stop employers asking employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law - transparency, fairness and proportionality – are applied.

The ICO has published further data protection advice for organisations to help you comply with these principles and ensure that you handle people's data with care.

This guidance includes advice on surveillance, individual rights and the ICO's regulatory approach during the COVID-19 pandemic and recovery, as well as a list of frequently asked questions in relation to employee testing.

If you have questions that are not covered by this guidance, you can call the ICO's helpline on Tel 0303 123 1113 for advice.


First published 29 June 2020