Privacy implications of new COVID-19 pass checks: UK Government and ICO issue important guidance

With the Omicron variant leading to rapid increases in COVID-19 infection rates, the Government has in the last few weeks published a sweep of new measures seeking to curb the trend. Perhaps one of the more controversial new rules relates to the mandatory COVID-19 status checks; certain venues and events are now required to confirm whether people have a valid NHS COVID Pass, equivalent international proof of vaccination, or a negative test result before allowing entry.

On 13 December, the Department of Health and Social Care published detailed guidance on how these checks should work in practice. Not everyone is caught; whether a business is subject to the requirements depends on matters such as opening hours, whether people will be dancing/drinking alcohol, the number of attendees expected, and whether the event is held indoors or outdoors. Theatres, night clubs, outdoor sports stadiums and conference centres are all likely included.

Specifically, the guidance covers how the COVID-19 status checks should be undertaken, who is responsible for ensuring they are carried out and what records of compliance should be kept. It also includes a list of exempt activities and events. Finally (and importantly), the guidance reminds businesses of their data protection duties, it;

• explains that data protection law applies to the processing of personal data in the context of the checks;
• stresses that businesses should not save any information about someone’s COVID-19 status;
• reiterates controllers’ transparency obligations; and
• points the reader to a list of other sets of guidance that should be taken into account.

This list includes specific ICO guidance on COVID-19 Status Checks. Like the guidance from the Department of Health, the ICO’s publication emphasises the transparency obligations of venue owners and event organisers. Interestingly, these include in this instance not only the sharing of privacy notices, but also the putting up of posters outside the venue entrance. In addition, it:

• reminds businesses to use the nation’s official government app to check people’s status; and
• in turn advises the reader to consider even more guidance on the topic, including its own “Vaccination and COVID pass checks” guidance. 

The Department of Health’s and ICO’s publications add to a growing (and increasingly confusing) patchwork of rules and guidelines that businesses have to navigate when processing personal data in the context of the pandemic. However, in our view it is very important that they do so; compliance is easy to check and failure to comply with the Department of Health’s guidance alone can lead to closure orders and could ultimately result in prosecution and fines. Never mind the cost and reputational damage involved in an ICO investigation…