Email and the Law

ICO Guidance On Personal Health Data

With the end of Covid restrictions in sight, if you have good eyesight, you are probably feeling a little euphoric. Maybe your short-term problems are over. A return to normal-ish email marketing campaign planning is surely just around the corner.

It’s not a return to the ‘old days’. There are a number of factors with regards to the fallout from the vaccination programme that should concern you. In-house management of health risks, particularly data sharing with regards to vaccination and contract tracing, is a case in point.

The ICO is treating this matter seriously, as you would expect. They have produced a series of pages on their website:

It is not a short read; probably comfortably in excess of 10,000 words, so not something you can scan-read quickly before an important meeting. It follows the ICO’s normal style in that it is divided into six sections. These are:

Regulatory approach,ICO Guidance On Personal Health Data



Case studies: disclosing information for contact tracing,

Collecting customer and visitor details for contact tracing,


The first item, regulatory approach, reiterates the reassuring news for those of us who are worried that our data protection practices might not meet our usual standards due to Covid-19 difficulties. The ICO says that it will be flexible in its approach, accepting that organisations need to prioritise other areas and includes a link to a document setting out their regulatory approach. There are limits, one assumes, to their generosity and it’s best not to test it.

The section that is probably of interest, vital for some, currently is the one on vaccinations. It explains the basis in law which you can put to employees challenging whether or not you can make testing or checking for Covid-19 symptoms mandatory. The explanation is as clearly explained as such a complex matter can be.

As is normal, rumours abound. The problem arises when your staff read something which has limited, maybe even negligible, basis in fact and take it as verbatim. You will want to ease their minds, as well as yours. The ICO’s explanations will be useful to you and them.

You might be wondering if you can collect data on whether your employees have taken advantage of vaccinations against Covid-19. Personal health is, of course, special category data. You are obliged to treat it in exactly the same manner as you would treat outside data in the same category. But data protection regulation is but one factor to consider in the matter.

The ICO lists employment law and contracts, health and safety requirements and equalities and human rights issues, and other factors you must consider. Not an easy path to tread, as you will, no doubt, appreciate. The complexity is not something which can be summarised effectively or even usefully in a short article.

I would suggest it is essential that you go to the ICO page linked to above, and familiarise yourself with the details, and implications. It is best to be fully informed on this aspect. Thoughts on the likely outcome, should you get it wrong, are unlikely to help you sleep at night.



30 days full functionality - No credit card required - INSTANT ACCESS