Right, so you would like to tell all your clients and customers, that your staff are COVID-19 free. It’s a good idea, you think to yourself, as I can get more business than the place down the road which can’t say the same. What could be the harm in telling people what we are COVID free?
Well, while it may seem a good idea at the time, using another person’s health data for your marketing purposes is unlawful and will breach both the GDPR and the Data Protection Act.
Because health data is special category data and, therefore, requires both an Article 6 legal basis and an Article 9 exemption. There are no legal basis or exemptions that will lawfully allow you to market using another person’s health data. It is simply not permitted.
But, you say, what if I didn’t name any employees and only said that ‘all staff are COVID free?’ Surely that will be ok?
No, unfortunately, that isn’t lawful either. While you may think that it is anonymous, it actually isn’t. You see, if I looked into your business and saw your staff, I would know what the health data was for each of them, even if I didn’t know their names. So the data isn’t actually anonymous.
The moral of the story is that you must be very careful when using health data and seek advice.
Data protection law forms a large part of marketing so get in touch and we can help.