Covid-19: guidance on compliance with data protection requirements
Data protection obligations should not be overlooked
In the face of the Covid-19 pandemic, organisations are implementing exceptional measures to protect the health and safety of their employees and customers while at the same time trying to preserve business continuity. In many cases, this means sharing information quickly and adapting their usual ways of working. This is likely to involve collecting and processing new types of data and adopting novel methods of communication. In responding to these challenges, it is important that organisations do not overlook their data protection obligations.
Proportionality is key
Data protection regulators and bodies such as the UK ICO and European Data Protection Board (EDPB) have published guidance on compliance and enforcement in the context of the pandemic. The ICO in particular has compiled a dedicated hub with information, FAQs and useful links for organisations and individuals on how to tackle data protection issues in these extraordinary circumstances. The main message from both the ICO and EDPB is that data protection laws will not hinder organisations in responding to the crisis, but they should nevertheless ensure they are processing data lawfully. In short: proportionality is key.
- The ICO acknowledges the shift in priorities for organisations operating in these unprecedented circumstances. It provides reassurance that it is “a reasonable and pragmatic regulator”, and will “take into account the compelling public interest” in its approach to data protection compliance.
- Organisations will not be penalised for diverting resources away from their usual information governance work. Although statutory timescales cannot be extended (eg in relation to responding to subject access requests), the ICO accepts that data subjects may experience “understandable delays”. While this may provide some comfort, organisations should be careful not to neglect their data protection obligations altogether. The pandemic will not excuse non-compliance: organisations should still do everything reasonable and proportionate in the circumstances.
- In recognising the dramatic uptick in homeworking, the ICO is clear that organisations must apply the same level of security as they would in normal circumstances. As well as the practicalities of coping with an increased demand on servers and networks, this means implementing clear remote working policies and undertaking regular risk assessments to address cyber and data risks. Issues to consider include: ensuring confidentiality of information (eg locking laptops and documents away when not in use); avoiding exchange of data via unsecured networks; raising awareness of cyber threats (eg as hackers exploit changes to working practices); reporting data breaches; and checking and ensuring that only appropriately secure third party communication platforms and document sharing tools are used.
- When processing employee health data, the ICO understands that employers have a duty of care, and must protect the health and safety of their employees. That said, information about an individual’s health is considered “special category data” and can only be processed if a specific lawful basis applies. Even now, such processing should be treated with caution, and the usual rules on data minimisation and necessity will apply. In practice, this means that employers can inform employees that a colleague may have Covid-19, but should avoid naming that individual. We suggest that organisations should only do so where necessary (for example, if they have been working in close proximity to the individual in the last 14 days). In this respect, please see further advice from our employment team here.
- Public bodies may be required to collect and share additional personal data to protect against serious threats to public health.
- The Government, NHS and other health professionals can send public health messages to individuals by phone, text or email. These do not constitute marketing messages. However, this should not be taken as an invitation by other kinds of organisations to raise brand awareness without complying with ePrivacy rules.
- In a statement adopted on 19 March 2020, the EDPB reiterated a number of points addressed by the ICO.
- In addition, the EDPB confirmed that employers (and competent public health authorities) are able to process personal data in the context of a pandemic without obtaining consent from data subjects, provided they can rely on an alternative lawful basis. For example, in the case of employers, processing may be necessary for compliance with a legal obligation (eg health and safety in the workplace), or in the public interest (eg the control of diseases and other threats to health).
- In respect of mobile location data (which may be used to monitor and mitigate the spread of the virus, for example), the EDPB emphasised that ePrivacy laws must be followed. In principle, location data should only be used when it has been anonymised (eg by aggregation) or with the data subjects’ consent. However, when it is not possible to do so, exceptional legislative measures may be introduced to process such data for the purpose of safeguarding public security. These measures must be necessary, appropriate and proportionate, and give individuals the right to a judicial remedy.
Key messages for clients:
- do not sidestep your data protection obligations as a result of Covid-19. The current extenuating circumstances may be taken into account if they are diverting your resources elsewhere, but compliance is still important. The ICO continues to process complaints, enforcement cases and reports of non-compliance;
- address issues around data security as you adopt new ways of working as a matter of urgency (eg consider undertaking new risk assessments);
- keep records of any new data processing activities and, where necessary, undertake data protection impact assessments to document your decision making in connection with such processing. Limit the volume and nature of processing to what is strictly necessary;
- remind employees of your relevant policies and procedures and update these where necessary (eg remote working policy);
- where applicable, keep employees and customers informed about how you are tackling particular data protection issues (eg new cyber security threats);
- consider implementing a short privacy notice or statement for employees and/or customers describing how their data will be processed during the pandemic;
- address any further data protection issues relating to employees (eg in respect of employees who are in - or live with others who are in - vulnerable groups; taking temperature checks; and asking about holiday plans). See further advice from our employment team here;
- consider if the scope of your processing of personal data has changed in such a way that you need to update your ICO notification;
- review contracts with third party vendors involved in hosting or processing personal data to ensure that they contain required protections in relation to personal data;
- reassess your data protection practices when things return to normal.
Return to news headlines