UK Privacy Regulator Issues Data Privacy Guidance for the ‘New Normal’

June 22, 2020Alerts

As lockdown restrictions ease and businesses begin to reopen, the UK Information Commissioner's Office (ICO) has set out the key steps organizations need to consider around the use of personal information. They are:

1. Only Collect and Use What is Necessary


  • How will collecting extra personal information help keep your workplace safe?
  • Do you really need the information?
  • Will the test you’re considering actually help you provide a safe environment?
  • Could you achieve the same result without collecting personal information?

2. Keep it to a Minimum

  • Don’t collect personal data that you don’t need.
  • Some information only needs to be held momentarily, and there is no need to create a permanent record.

3. Be Clear, Open and Honest With Staff About Their Data

  • Make sure you tell people how and why you wish to use their personal information, including what the implications for them will be.
  • You should also let employees know with whom you will share their information and for how long you intend to keep it.

4. Treat People Fairly

If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair.

5. Keep People’s Information Secure

Any personal data you hold must be kept securely and only held for as long as is necessary.

6. Staff Must be Able to Exercise Their Information Rights

  • If you have decided to implement symptom checking or testing, there are additional requirements you need to follow.
  • These include identifying a lawful basis for using the information you collect and, if you’re processing health data on a large scale, conducting a data protection impact assessment.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. She can be reached at [email protected] or 215.444.7313.