Skip to content

Managing personal data collected and used during the pandemic: Stay compliant

To keep employees and customers safe during the COVID-19 pandemic, many organisations adopted emergency practices in respect of collecting and processing personal data relating to the pandemic.

To keep employees and customers safe during the COVID-19 pandemic, many organisations adopted emergency practices in respect of collecting and processing personal data relating to the pandemic. David Edwards and Charles Mather from Harrison Drury’s regulatory team outline new guidance to ensure that businesses remain compliant.

In line with the recent relaxation of the government’s COVID-19 safety measures, the Information Commissioner’s Office (ICO) has published new guidance relating to personal data collected and processed by organisations in consequence of the pandemic.

The guidance falls broadly into the following four categories which are outlined below.

1. Emergency practices put in place during the pandemic

Organisations should review any practices that were put into place during the pandemic to ensure that the related collection and processing of personal data remains reasonable, fair and proportionate to the current circumstances, taking the latest government guidance into account.

2. Retention of personal data collected during the pandemic

The storage limitation principle of United Kingdom General Data Protection Regulation (UK GDPR) requires that personal data must not be processed or maintained for longer that is necessary to fulfil the objective for which it was collected.

Organisations may only use personal data for a new purpose if it is compatible with the original purpose, or if consent is given, or the organisation has a clear obligation or function set out in law to do so.

Where an organisation has determined that personal data collected for the purposes of the pandemic is no longer required, that personal data should be disposed of and destroyed in a confidential and secure manner.

3. Vaccination status

To collect and process special category personal data in accordance with UK GDPR, organisations must identify both a lawful basis under Article 6 and a separate condition for processing under Article 9. If they cannot do so, then collection and processing is unlawful.

Organisations that continue to collect special category health data, in the form of vaccination status, must be clear about what it is they are trying to achieve and how collecting the employees’ vaccination status contributes to that objective.

If organisations can achieve a stated objective without collecting this data, they are unlikely to be able to justify its collection.

4. Information about positive COVID-19 cases among employees

Any organisation that decides to inform employees about possible or confirmed COVID-19 cases among colleagues in order to manage its workforce, should, where possible, avoid naming individuals, and should not provide colleagues with more information than is necessary.

The ICO has the power to penalise organisations that do not adhere to the GDPR and fines can be substantial. If you require guidance regarding the management of your organisation’s personal data or need help with any other data protection matter, please contact Harrison Drury’s regulatory team on 01772 258321.

This article first appeared on

Downtown in Business

Take on the Arctic Survival Challenge for Nugent!

Nugent are offering the opportunity to join them for an Arctic Challenge in the heart of Sweden’s breath-taking wilderness from the 2nd to the 9th of March 2025.

During this unforgettable experience you’ll spend eight days in the pristine wilderness in Sweden. This once in a lifetime challenge will combine your ability to adapt to and live in the heart of this environment, as well as allowing you to experience tranquillity, and relaxation under the stars of the Arctic; all while raising money for the most vulnerable individuals and families across Merseyside.

Read More