We have lived with the EU General Data Protection Regulations 2016 (GDPR) and Data Protection Act 2018 (DPA) for a while now, so businesses will understand their obligations in respect of how they must treat personal data and what needs to be in place to comply with these laws. Following Brexit, the GDPRs have been assumed into laws in England through the DPA and other implementing legislation. We are awaiting formal approval of the UK as a country with ‘adequate protection’ in place for protecting data subjects’ personal data, which will help make it easier to keep receiving EU personal data into the UK. However, the UK’s data protection regime provides a solid structure for businesses to follow in order to keep personal data they process secure, and protect the rights of individuals.
Travel businesses collect and process a large amount of personal data in relation to their customers, including contact details of the lead passenger, details of their travelling party, passport and visa information, payment data and potentially information relating to allergies and health data in respect of how it impacts the travel booking they have made. In addition, this data is generally passed on to other third party suppliers who are involved in the provision of the customer’s travel arrangements, mostly abroad, and the personal data is therefore being transferred outside the European Economic Area. Travel businesses will also be collecting and processing personal data about their employees.
Part of the compliance regime for businesses that process personal data is to take appropriate technical and organisational measures in order to keep personal data secure (the sixth data protection principle). It is important to make sure that your IT systems, together with your internal processes and third parties that you work with process personal data in a secure manner to try and prevent the accidental and unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In addition, businesses should consider what additional technical measures might be needed to keep personal data secure, particularly if this is being transferred to another third party, to help prevent a data breach (which could lead to ICO fines and compensation being payable to individuals). Measures such as encryption or pseudonymisation of personal data can help, as well as password protection, maintaining current anti-virus and anti-malware software and keeping data regularly backed-up, with restrictions to access data in place to reduce risk.
With life slowly getting back up and running following the pandemic, travel businesses will hopefully see an increase in enquiries and bookings for travel arrangements. Given the Government’s continued restrictions and plans in relation to international travel, with the aim of keeping people safe, there is a large amount of additional information and data that a travel business may need to collect about an individual to make sure that they have the right things in place to enable travel.
In the UK, the Government has proposed trialling Covid-19 Passports, which can help determine whether someone needs to isolate or quarantine. Covid-19 Passports, or Covid-status certification schemes, will use testing or vaccination data to confirm in different settings that individuals have a lower risk of getting sick with or transmitting Covid-19 than others. For such schemes to operate successfully, people are going to have to trust the framework and that will only happen if the schemes have suitable measures in place to protect personal data, ensuring that they work alongside the key data protection principles.
As an employer, you may also want to collect Covid-vaccination status data about your employees. This can be done, as long as you have a compelling reason to do it (ie, you are not collecting it ‘just in case’) and you are clear about what you are trying to achieve (eg, safe working environment for all employees, employees are working with vulnerable people, etc). Any collection and processing of personal data must be done in accordance with the key considerations below.
People will want to ensure that their personal data is kept confidential and secure, so any data sharing should be done under confidentiality obligations. As data relating to whether someone has had the Covid-19 vaccination, or results of their Covid-19 tests, constitute health information, this would be special category data. Data protection laws require anyone processing special category data to meet an additional condition for processing that data, therefore anyone processing this type of data must assess the basis upon which they will be processing that data and ensure the additional processing condition is in place.
To comply with data protection laws, businesses will need to consider the following points, including how they interoperate with any Covid- status certification scheme, or process any personal data which includes Covid-19 status information:
Businesses therefore need to make sure they are complying with these principles when it comes to collecting and processing any Covid-19 related personal data, including Covid-19 Passport data, to ensure continued compliance with data protection laws.
Any processing of such data should also be noted in your Record of Processing Activities in order to demonstrate compliance.
On a practical level, consider the volume of this type of data that you actually want to hold and how long for – if you haven’t already, you might want to have a strict retention and destruction policy in place so that you are holding this additional information for as short a period as possible, to help reduce the risk of holding this data without your systems.
Debbie Venn, Partner, DMH Stallard LLP. May 2021