The Information Commissioner’s Office (ICO) has recently set up an information hub on its web site (https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/) giving helpful guidance on data protection compliance in these difficult times.
Organisations may be concerned that they are no longer meeting their usual standards of data protection compliance because resources are being necessarily diverted elsewhere. The ICO has confirmed that it “won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” Whilst the ICO is unable to extend the statutory time limits which apply to subject access requests (SARs) and other data protection rights of individuals, it will tell people that they may experience delays.
COVID-19 does not mean that organisations can ignore data protection legislation. You should still try to comply as much as possible. Keep a record of decisions made and the reasons for them, in case of scrutiny afterwards. You should continue to try to respond to SARs keeping individuals informed and updated on the response and likely time-scales.
Security measures for homeworking
The ICO confirms that data protection law does not prevent home working or staff from using their own device or communications equipment. However, the same kinds of security measures are needed as are used in normal circumstances.
Can you tell staff that a colleague may have contracted COVID-19?
Organisations should keep staff informed about cases, but individuals should not be named. The ICO states you should only disclose necessary information as required to satisfy your health and safety obligations and duty of care to staff.
Can you collect COVID-19 information from employees or visitors?
You have an obligation to protect employees’ health but that this does not mean you can collect lots of information about them. The ICO suggests asking people to tell you if they are experiencing COVID-19 symptoms, advising staff to call 111 if that is the case and asking visitors to consider government advice before they decide to come. If specific health data is still needed then only collect what is necessary and ensure it is appropriately safeguarded. This includes keeping it secure and restricting access to it on a “need to know” basis.
Can you share employees’ health information with the authorities for public health purposes?
Yes, although the ICO considers it unlikely that you will need to share information about specific individuals.
This crisis has demonstrated community altruism and groups are springing up to help the vulnerable and those self-isolating. The ICO has a dedicated blog on its web site for these groups.
We understand that there are data protection challenges in this time of crisis. If you require any further information or assistance in complying with data protection obligations please contact our specialist data protection team:
Amy Chandler, Partner, firstname.lastname@example.org
Patricia Jones, Consultant, email@example.com
Danielle Amor, Senior Associate, firstname.lastname@example.org