If employees provide personal email addresses at the start of their employment and their personal email addresses were used to contact them while they worked from home during the Coronavirus Lockdown, is this a breach of data protection?

It will be important to check the content of your privacy notice in the first instance. Depending on the content of your privacy notice, if an employee provides a personal email address, you should generally only use this for contact where reasonably required for business purposes (ensuring to do so fairly).

Advice from the Information Commissioner on complying with data protection during times of remote working encourages employers to use the minimum amount of personal data as necessary. If employers are in doubt about their data protection compliance in light of changes necessitated by the COVID-19 pandemic, they should conduct a Data Protection Impact Assessment.

A Data Protection Impact Assessment is a process to help employers identify and minimise the data protection risks of a project, action or practice. Where a project, action or practice requires the processing of personal data, your Data Protection Impact Assessment must:

1. Describe the nature, scope, context and purposes of the processing;
2. Assess necessity, proportionality and compliance measures;
3. Identify and assess risks to individuals; and
4. Identify any additional measures to mitigate those risks.