The European REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) known as the GDPR – applies in the UK (UK GDPR).
UK GDPR applies to certain ‘processing’ of personal data. The ICO (the Information Commissioner’s Office) says –
If you are only conducting a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’. The activity would therefore fall outside of the UK GDPR’s scope.
However, if you are conducting checks digitally (for example, by scanning the QR code displayed on the pass), this would constitute processing of personal data – even if you do not keep a record of it. The UK GDPR would therefore apply.
If you make a record of any personal data, whether you conduct visual or digital checks, then you would be processing personal data and the UK GDPR would apply.
Article 9(1) of GDPR does not permit an employer to be in possession of employees’ personal and medical data. Article 9(2) sets out situations where the employer might have Covid status data.
The ICO says –
A person’s COVID status is health data, which has the protected status of ‘special category data’ under data protection law. This means it requires extra protection. You must also identify an Article 9 condition for processing. The two you could consider are:
• the employment condition; or
• the public health condition.
If you intend to rely on the public health condition, you must ensure that either a health professional carries out the processing, or that you tell people you are treating their COVID status as confidential and would only disclose it in clearly defined circumstances.
Consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee. Similarly, consent is unlikely to be appropriate where checking a COVID pass is a condition of entry to your premises. This is because you cannot consider consent to be ‘freely given’ in these circumstances.
This generally means that COVID status data cannot be held.
The ICO provides detailed information on the steps to be gone through if COVID status information is to be asked for, and held – here.