Covid-19: GDPR update

As businesses ease of of Covid-19 lockdown, what are the GDPR requirements to consider?


As the UK slowly eases out of the Covid-19 lockdown, organisations might be wondering whether there are any specific GDPR requirements to consider.  Here is a GPDP update with some of the issues to consider:

Covid-19 health information

As employees return to work, employers will understandably be asking more health-related questions: do they have any of the symptoms of Covid-19? Have they been tested? What were the results? and so on.  Ordinarily, any collection and processing of health data would be considered as sensitive data under the General Data Protection Regulations (GDPR) and so explicit consent from the individual would be required.

Organisations should be aware that there is a carve out in the GDPR which they can rely on.  Article 9 of the GDPR has a subsection that allows the processing of personal data without consent if it’s necessary to protect ‘against serious cross-border threats to health’.  The current Covid-19 pandemic would almost certainly fall within this category and so organisations would be able to rely on this as the legal basis for collecting and processing such sensitive data without, the need to obtain explicit consent each time.

Nevertheless, be mindful to still apply the usual data protection principles – of confidentiality, data minimisation, purpose limitation and data security.

Working from home

Even though some employees are returning to the office, some organisations may consider that working from home is a sensible and productive option going forward.  If that is the case, then organisations need to ensure data protection is kept in mind.  Consider the following:

  • Security checks on employees’ laptops/remote working facilities.
  • Secure use of video conferencing facilities – check privacy settings and consider using passwords for meetings and restrictions on screen sharing.
  • Ensure employees use any hard copies of materials/print outs in a data safe way. Locking away confidential papers should be promoted as good practice and you may wish to consider arrangements for the collecting and shredding papers as necessary.
  • If employees are using their own personal laptops at home, they should be encouraged to store any work data in a separate place from their personal files on their laptop. This will help reduce data breaches and will ensure that data retention requirements can be met.
  • Obviously, the use of strong passwords and latest software versions should be encouraged.

Despite these unprecedented times, organisations should continue to apply the principles set out in the GDPR:

Processing should be lawful, fair and transparent; data subjects should have a clear understanding of what personal data is being processed about them and why it is being processed. 

Remember these key principles when (i) employees are returning, (ii) health information/testing is taking place and when (iii) considering the continual use of working from home facilities.

For more information contact [email protected] or speak to our commercial team.



This article was written by Clare Veal

Please note the contents contained in this article are for general guidance only and reflection the position at time of posting. Legal advice should be sought before taking action in relation to specific matters.

More Articles

Get wise to Inheritance Tax

The last tax year (2018-19) saw HMRC collect more than £5.4bn in Inheritance...

Written by Katherine Carroll

Extending your lease

Thinking about extending your lease? Here are some points to consider: How long...

Written by Amie Younger

Shall we live together? Cohabiting families

Despite the cohabiting family being the fastest growing family type, few people are...

Find out how we can help you


© Peacock & Co 2024. All Rights Reserved.

Peacock & Co is authorised and regulated by the Solicitors Regulation Authority.