The UK Information Commissioner’s Office has posted a blog post setting out six key steps for organisations to consider as they come out of lockdown. The post includes an introductory statement from the Information Commissioner explaining that the ICO has been answering questions about the rules around organisations collecting additional personal information to provide a safe environment for their staff. Data protection does not prevent appropriate testing, she emphasises, but the principles of the law must be applied. As in recent guidance on workplace testing, the emphasis is on transparency, fairness, and proportionality. The six steps set out are:

  1. Only collect and use what’s necessary.
  2. Keep it to a minimum.
  3. Be clear, open, and honest with staff about their data.
  4. Treat people fairly.
  5. Keep people’s information secure.
  6. Staff must be able to exercise their information rights.

The ICO is taking the opportunity to emphasise requirements that will be particularly key for returning to work, rather than creating new obligations: employers were already required to follow all of these steps under the GDPR. In these unprecedented times, employers may need to process more health data in ways they haven’t needed to before. New types of processing may be necessary to reopen their business. However, this guidance makes it clear that businesses will need to demonstrate that they are processing data in accordance with data minimisation principles and are safeguarding data subjects’ rights.