So many times, I get asked am I doing data protection right? The real crunch is, it’s personal. It’s perspective. While the main driver is attitude, there are six questions you need to answer yes to.
- Do I only collect, and use, the personal data I need to?
- Do I keep it to a minimum?
- Am I clear, open and honest with everyone about their personal data?
- Do I treat people fairly?
- Do I keep people’s personal information secure?
- Are staff able to exercise their information rights?
Some organisations may be too small to worry about question 6, but remember this would include voluntary staff and contractors.
Do I only collect the personal data I need to?
To help you decide if collecting and using people’s health data is necessary to keep your staff safe, you should ask yourself a few questions:
- How will collecting extra personal information help keep your workplace safe?
- Do you really need the information you are collating?
- Will the test you’re considering actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information?
If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.
Do I keep it to a minimum?
When collecting personal information, including people’s COVID-19 symptoms or any related test results, organisations should collect only the information needed to implement their measures appropriately and effectively.
Remember that health data is part of the Special Category Data and needs to have tighter controls than “normal” personal data.
Don’t collect personal data that you don’t need. Some information only needs to be held momentarily, and there is no need to create a permanent record.
Am I clear, open and honest with everyone about their personal data?
Some people may be affected by some of the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be.
You should also let any staff you have know who you will share their information with and for how long you intend to keep it. Remember , staff can mean employees, volunteers and/or contractors. You can do this through a clear and accessible policies and contracts.
Do I treat people fairly?
If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair.
Think carefully about any detriment they might suffer as a result of your policy. Make sure your approach doesn’t cause any kind of discrimination.
Do I keep people’s personal information secure?
Any personal data you hold must be kept securely and only held for as long as is necessary. In my opinion it’s vital to have a retention policy in place. This should set out when and how personal information needs to be reviewed, deleted or anonymised.
Are staff able to exercise their information rights?
As with any data collection, we would expect organisations to inform individuals about their rights in relation to their personal data, such as the right of access or rectification. Staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with organisations.
If you have decided to implement symptom checking or testing, there are additional requirements you need to follow. These include identifying a lawful basis for using the information you collect. If you’re processing health data on a large scale, you should consider conducting a data protection impact assessment.
A fair approach to handling people’s data, which is transparent in its purpose and compliant with data protection law, will gain the trust of colleagues and communities in this exceptional time.
If you want to know if you have got a lid on the initial steps to take, visit: https://eyebray.com/frequently-asked-questions-about-the-first-steps-on-your-data-protection-journey/.
If you’d like to know what policies make up a good set of internal documents for data protection purposes visit: https://eyebray.com/what-internal-documents-do-i-need-for-gdpr/.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or by calling 0743211611.
Alternatively visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for information direct from the ICO.