Digitally Thinking

​COVID-19 and Data Protection Obligations – New ICO Guidance Published

Throughout the pandemic, employers have had to grapple and adapt quickly to how they deal with their data protection obligations, when checking and processing COVID-19 information relating to their staff.  For many employers, this has required an ongoing review of practices and procedures in line with government guidance.

Following the relaxation of the COVID-19 rules in England last month (for example, the end of free testing and no requirement for COVID status / vaccine passports), the Information Commissioner’s Office (ICO) has published helpful guidance for organisations and employers to help them comply with their data protection obligations moving forwards. 

Here are the key recommendations from the new ICO guidance that your business needs to be aware of and comply with: 

  • Review the approach and emergency practices you have put in place during the pandemic and ascertain whether the personal data collected is still necessary. You should ensure that this data is still reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account.
  • Manage positive cases in the workforce. Data protection law doesn’t prevent you from keeping staff informed about potential or confirmed COVID-19 cases amongst their colleagues.  However, you should avoid naming individuals wherever possible, and you should not provide more information than is necessary.
  • Assess any additional personal data collected and retained during the pandemic and ensure that it is securely disposed of (if no longer needed).
  • Check government guidance if continuing to collect vaccination information and be clear about what you are trying to achieve and how asking staff for their vaccination status helps to achieve this. 
  • The new guidance highlights some data protection compliance issues such as identifying a lawful basis other than “legal obligation” when collecting vaccination information if relevant legislation has expired.
  • As a person's vaccination status is “special category data”, it requires extra protection under data protection law. Therefore, both an Article 6 and an Article 9 condition for processing must be identified and in certain circumstances a data protection impact assessment will need to be completed.

Data protection is only one of many factors to consider and organisations should also take into account employment law and contracts with employees, health and safety requirements, and equalities and human rights (including privacy rights).

You can read the full ICO guidance here as well as our previous blog on “Coronavirus Vaccinations and Status – What are your data protection obligations?” here.

Please note that the above does not constitute advice from the Berwins Employment Team and is for information only. If you require any specific advice or support on this area or any other COVID-19-related employment issues, please call Mike Patterson on 01423 542778, or email

speech bubbles

We'd love to tell you more...

We're passionate about supporting digital businesses to thrive - find out how we can help you get where you need to be

Get in touch   right arrow