AS businesses bring staff back in, many will be processing new types of personal data on their employees, including health information on those who are shielding or self-isolating, the body temperatures of employees and visitors to their premises, and where their employees are at any time.

These types of personal data, as far as the General Data Protection Regulation (GDPR) is concerned, are likely to fall within ‘special categories of personal data’ because of their relevance to health, and therefore will have to be dealt with differently to the usual staff information.

The GDPR also focuses on data minimisation and requires businesses to only collect as much personal data as is strictly necessary.

Companies do need a legal basis for processing this data – the normal reasons for doing so are:

legitimate interests;

contractual necessity (to ensure the health, safety and well-being of their employees); and

legal obligation (i.e. collecting data in order to comply with new coronavirus laws).

But they’re likely to need also to satisfy a further condition, given the specific health related personal data.

One of these conditions is the collection of data for ‘public heath’ reasons. This would be relevant if a business is acting on the advice of public medical advisors in relation to Covid-19 – a very common reason.

Firms should take some practical steps to keep data secure and confidential.

They should review and update privacy notices to reflect the changes in the collection of data from employees, as well as their remote working policies; they should also remind employees of data security and confidentiality.

Finally, a data protection impact assessment will be needed because of the sensitive nature of the data.