Staff Data Protection
As the pandemic lockdown restrictions start to ease and council offices begin to reopen, the Information Commissioners Office (ICO) has set out key steps for dealing with personal staff information.
Data protection does not prevent managers asking staff if they have COVID-19 symptoms or introducing appropriate testing, as long as the principles of the law - transparency, fairness and proportionality - are applied in accordance with the GDPR and the Data Protection Act 2018.
As personal data that relates to health is more sensitive and is classed as ‘special category data’ it must be protected even more carefully.
The data protection steps listed below will help enable you to keep staff and the public safe and supported during the present public health emergency, whilst ensuring that personal data is handled correctly.
- Keep personal data collection to a minimum – do not collect unnecessary personal data or retain it for longer than required. Some information only needs to be held for a short period, with no need to create a permanent record. Go to the ICO guidance on data minimisation for more information.
- To determine if collecting and using people’s health data is necessary in order to keep staff safe, you should consider the following -
- How will collecting extra personal information help keep your workplace safe?
- Will testing help you provide a safe environment?
- Could you achieve the same result without collecting personal information?
- You must clearly demonstrate to staff that your approach is reasonable, fair and proportionate to the circumstances and is in accordance with the GDPR and the Data Protection Act 2018.
What you need to do
Be clear, open and honest with staff about their data –
- to alleviate staff concerns, you must advise why you need their personal information, including what the implications for them will be.
- you should advise how their information will be used, shared and how long it will be retained for.
- staff must have the option to exercise their information rights and discuss any concerns with you – for more details go to the general data protection regulation.
Treat people fairly - your approach for making decisions about your staff based on the health information you collect, must be fair, non-discriminatory and actions taken must not be detrimental to staff.