The ICO has published in a blog post some helpful guidance on data protection compliance and COVID-19. This also draws on a statement issued by the European Data Protection Board (EDPB).
Broadly, data protection rules (such as the GDPR) do not hinder measures taken in the fight against the pandemic. The EDPB says that it is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB underlines that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of data subjects.
The ICO recognises the unprecedented challenges we are all facing during the pandemic, and that organisations might need to share information quickly or adapt the way they work. The ICO confirms that data protection will not stop you doing that. It’s about being proportionate, and not going beyond what people might reasonably expect.
Core data protection principles need to be followed even for emergency data uses. This includes the following:
- Personal data that is necessary to attain the objectives pursued should be processed for specified and explicit purposes.
- Data subjects should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
- It is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties.
- Measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.
Delays in compliance
ICO guidance: Organisations with concerns about complying with GDPR requirements are offered assurance. The ICO says they understand that resources, whether finances or people, might be diverted away from usual compliance work. The ICO indicate that they won’t penalise organisations that they know need to prioritise other areas or adapt their usual approach during this extraordinary period.
While the ICO can’t extend statutory timescales, they will tell people that they may experience understandable delays when making information rights requests during the pandemic.
Comment: This offers some comfort, for example, to businesses that are currently grappling with lack of resource or access to documents for responding to data subject access requests (DSARs) which have a deadline for response of one month or, in complex cases, extendable to three months. A key factor will be to keep the data subject up to date with progress on the response.
ICO guidance: Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.
Comment: Employers should carry out a data privacy risk assessment of the data protection implications of employees working from home on a scale greater than might be usual. This could include review of the following:
- ensuring staff have been given training and guidance and regular reminders about their obligations to safeguard personal data, including not saving sensitive data to unsecured devices or cloud storage;
- as there is an uptick in cybercriminals and email scams looking to profit from the crisis, warning staff about emails that may look as if they are from official sources but include malicious software, as well as fake phishing emails impersonating people within the organisation;
- requiring the use of complex passwords and the need to change them often;
- taking care when using wifi, avoiding public wifi and using known secure wifi where possible.
Can you tell staff that a colleague may have contracted COVID-19?
ICO Guidance: Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.
The EDPB adds that in cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context), the concerned employees should be informed in advance and their dignity and integrity protected.
Comment: even though such information relates to a person’s health, which is classified as special category (or sensitive) personal data, an employer is entitled to process / disclose this information where necessary to comply with employment law which includes ensuring the health, safety and welfare of its employees. Again, this only extends to what is necessary and proportionate for this purpose.
Can you collect health data in relation to COVID-19 about employees or from visitors?
ICO Guidance: You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.
It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.
You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.
If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.
Comment: while this guidance was issued only in the past few days, it can become rapidly out of date as Government / NHS guidance on COVID-19 changes.
Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at firstname.lastname@example.org