27 April 2022

On Monday 18 April 2022 the Scottish Government announced the repeal of Coronavirus related restrictions that were in place for a number of years, including a step back from face masks and a retreat from the “Covid Passport” scheme.

While the first port of call for many may have been one of celebration, it is also important to consider what impact the easing measures that were, until recently, very much a part of our lives will have on the procedures put in place by business to deal with them.

Necessity

It should firstly be considered whether the data handling practices developed in the last two years remain necessary.

When pandemic rules first came into place organisations were faced with the challenge of handling personal data in a way which was new. For example, companies may have shared health data to protect employees. Pubs and restaurants may have shared health data of visitors to comply with legal obligations.

At that time, businesses had a legitimate interest and indeed in some cases a legal obligation to process that data. Even so, it remained paramount then to maintain transparency and ensure that people were informed of the processing.

Now, the ICO recommends considering whether collecting personal information will continue to keep a workplace safe or comply with obligations, and whether the desired result of collecting the personal information could be achieved by some other means.

Above all, businesses should be sure that the collection of personal information is reasonable, fair and proportionate in light of government guidance.

Retention

What, then, should be done with the information collected during the periods of restrictions?

Businesses should assess the appropriateness of retaining that information with the principles of data minimisation in mind. If a pub has collected information about its customers, and there is no longer an obligation to share that information with the government, is it really necessary for it to retain that personal data?

It may be tempting to use the data collected for the purposes of customer databases, however the ICO can issue fines for the unlawful use of personal data and this could include for repurposing data collected during the pandemic.  

If it is no longer necessary to retain the information, it is important to ensure that the information is disposed of securely.

Continuing data collection

As usual, a business should have a clear reason to collect and store personal data. The use of personal data must always be fair, relevant, transparent and necessary for a specific purpose.

The ICO has advised that if businesses wish to collect vaccination information, which is health data and thus special category data, data protection is not the only factor to have in mind - rules including employment laws, health and safety requirements and human rights may also be engaged. It has also stated that collecting this information on a “just in case” basis is unlikely to be justified.

The collection of personal data should not result in any unfair treatment of data subjects, and the data should only be used for purposes which they would reasonably expect. As always, a lawful basis is required. If a legal obligation, which has now been repealed, was that lawful basis then a new one should be identified.

The ICO suggests that while a positive case in the office can be shared with employees, the identify should be protected and no more information than necessary provided.

If you have any questions about the changing landscape’s impact on your data protection polices, please get in touch with BTO’s Data Protection Team.

Lynn Richmond, Partner: lyr@bto.co.uk / 0131 222 2939

Lily Morrison, Trainee Solicitor (Author): lmo@bto.co.uk / 0141 221 8012