Covid-19 data: what data protection issues exist?

DMH Stallard logo


We have lived with the EU General Data Protection Regulations 2016 (GDPR) and Data Protection Act 2018 (DPA) for a while now, so businesses will understand their obligations in respect of how they must treat personal data and what needs to be in place to comply with these laws. Following Brexit, the GDPRs have been assumed into laws in England through the DPA and other implementing legislation. We are awaiting formal approval of the UK as a country with ‘adequate protection’ in place for protecting data subjects’ personal data, which will help make it easier to keep receiving EU personal data into the UK.  However, the UK’s data protection regime provides a solid structure for businesses to follow in order to keep personal data they process secure, and protect the rights of individuals.

What data do you process?

Travel businesses collect and process a large amount of personal data in relation to their customers, including contact details of the lead passenger, details of their travelling party, passport and visa information, payment data and potentially information relating to allergies and health data in respect of how it impacts the travel booking they have made. In addition, this data is generally passed on to other third party suppliers who are involved in the provision of the customer’s travel arrangements, mostly abroad, and the personal data is therefore being transferred outside the European Economic Area. Travel businesses will also be collecting and processing personal data about their employees.

Technical and organisational measures

Part of the compliance regime for businesses that process personal data is to take appropriate technical and organisational measures in order to keep personal data secure (the sixth data protection principle).  It is important to make sure that your IT systems, together with your internal processes and third parties that you work with process personal data in a secure manner to try and prevent the accidental and unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In addition, businesses should consider what additional technical measures might be needed to keep personal data secure, particularly if this is being transferred to another third party, to help prevent a data breach (which could lead to ICO fines and compensation being payable to individuals).  Measures such as encryption or pseudonymisation of personal data can help, as well as password protection, maintaining current anti-virus and anti-malware software and keeping data regularly backed-up, with restrictions to access data in place to reduce risk.  

Covid-19: What are the implications for personal data?

With life slowly getting back up and running following the pandemic, travel businesses will hopefully see an increase in enquiries and bookings for travel arrangements.  Given the Government’s continued restrictions and plans in relation to international travel, with the aim of keeping people safe, there is a large amount of additional information and data that a travel business may need to collect about an individual to make sure that they have the right things in place to enable travel.

In the UK, the Government has proposed trialling Covid-19 Passports, which can help determine whether someone needs to isolate or quarantine. Covid-19 Passports, or Covid-status certification schemes, will use testing or vaccination data to confirm in different settings that individuals have a lower risk of getting sick with or transmitting Covid-19 than others.  For such schemes to operate successfully, people are going to have to trust the framework and that will only happen if the schemes have suitable measures in place to protect personal data, ensuring that they work alongside the key data protection principles.

As an employer, you may also want to collect Covid-vaccination status data about your employees.  This can be done, as long as you have a compelling reason to do it (ie, you are not collecting it ‘just in case’) and you are clear about what you are trying to achieve (eg, safe working environment for all employees, employees are working with vulnerable people, etc).  Any collection and processing of personal data must be done in accordance with the key considerations below.

People will want to ensure that their personal data is kept confidential and secure, so any data sharing should be done under confidentiality obligations.  As data relating to whether someone has had the Covid-19 vaccination, or results of their Covid-19 tests, constitute health information, this would be special category data.  Data protection laws require anyone processing special category data to meet an additional condition for processing that data, therefore anyone processing this type of data must assess the basis upon which they will be processing that data and ensure the additional processing condition is in place.

Key considerations

To comply with data protection laws, businesses will need to consider the following points, including how they interoperate with any Covid- status certification scheme, or process any personal data which includes Covid-19 status information:

  • Be lawful and fair (ie, proportionate, necessary and meeting the public’s reasonable expectations for the processing of their data).  This includes not holding or processing more data than is necessary;
  • Have a lawful basis for processing and the additional requirement for processing special category data;
  • Have appropriate safeguards in place to protect its systems, including identifying any vulnerabilities that need fixing and review and update these regularly;
  • Have a clear purpose for the use of data collected and limit that purpose to a specific, explicit and legitimate purpose;
  • Keep data accurate and up-to-date (particularly as Covid-19 status may change quite quickly);
  • Ensure there is transparency about how personal data is processed and shared;
  • Minimise the personal data retained in a business and delete when no longer needed; 
  • Carry out a privacy impact assessment to determine what personal data is really needed and how this can be processed as securely as possible;
  • Give guidance and training on systems and policies to staff relating to data protection and cyber security issues, to reduce risk of human error. 
  • Where systems are controlled by third parties make sure there is a data processing agreement (or data sharing agreement) in place with a process for dealing with minimum data security standards and how to deal with data breaches.  Consider international data transfer obligations and the potential need for standard contractual clauses.

Businesses therefore need to make sure they are complying with these principles when it comes to collecting and processing any Covid-19 related personal data, including Covid-19 Passport data, to ensure continued compliance with data protection laws.

Any processing of such data should also be noted in your Record of Processing Activities in order to demonstrate compliance.  

On a practical level, consider the volume of this type of data that you actually want to hold and how long for – if you haven’t already, you might want to have a strict retention and destruction policy in place so that you are holding this additional information for as short a period as possible, to help reduce the risk of holding this data without your systems.

Individuals will no doubt have an expectation of how this type of personal data will be used and protected, and it’s imperative that businesses consider these issues, implement these measures, and update any privacy policy or notices when collecting such data in order to be transparent and ensure its compliance with data protection laws.

Debbie Venn, Partner, DMH Stallard LLP. May 2021