Skip to content

As the COVID-19 pandemic continues to spread and “business continuity” becomes increasingly important at an uncertain time for all organisations, data protection may not at present be your principal concern. The ICO has acknowledged this necessary shift in focus and priorities, publishing guidance on a range of data protection issues that the pandemic has given rise to, and gathering that guidance in a centralised “Data protection and Coronavirus information hub” on the ICO’s website, found here. The guidance recognises the unprecedented circumstances in which both data controllers and data subjects must now operate and reassures organisations that “The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern”.

That said, it remains essential that the personal data of individuals remains protected. In this article we look to answer some of the questions you might have about your organisation’s data protection law compliance at this uncertain and unsettling time.

Can we collect information relating to the health of our staff?

Have you been on holiday to an affected region? Are you displaying Coronavirus symptoms? Do you have any specific health conditions that make you particularly vulnerable? Have you come in to contact with anyone displaying Coronavirus symptoms?” These are the questions being asked today by businesses and employers on a daily basis.

Under the GDPR, information relating to an individual’s health or personal life is regarded as “special category data”. Such data requires careful handling, and often the individual’s explicit consent to processing. However, there are other lawful grounds for using such data, such as the protection of staff, visitors and the wider community.

The ICO has emphasised that the collection of personal data relating to an individual’s health should, even in today’s circumstances, be treated with caution. Organisations should not collect more information than is necessary, and any such information should be protected with appropriate safeguards.

So as to remain entirely transparent, organisations may wish to consider providing staff with a short privacy statement, setting out why and how sensitive personal data relating to staff will be collected and used during the pandemic. Indeed, the provision of “fair processing information” (in addition to an existing privacy policy or privacy notice) is a clear GDPR requirement where your organisation intends to further process personal data for a new purpose not envisaged by your existing privacy statements. Thinking practically, you might do that as part of the regular Coronavirus guidance you are issuing to staff.

Can we share that information?

The ICO has also indicated that the disclosure of such personal information, for example to other staff within an organisation, should be treated with caution; while you can tell other staff that “a colleague” has tested positively for COVID-19, the ICO suggests that organisations need not name the individuals concerned or provide more information to their colleagues than is necessary to protect the health and safety of their staff.

As to whether organisations can share health information relating to their staff with the authorities, data protection law does not prevent this where the sharing of such information is for public health purposes. Indeed, sharing such information, provided that the level of information shared is proportionate and reasonable, may well help the authorities tackle the Coronavirus outbreak.

Major mobile networks, for example, are sharing information including phone location and usage data to monitor whether pandemic limitation measures such as social distancing are working effectively. The ICO has commented on this, saying: “Generalised location data trend analysis is helping to tackle the Coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified. In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place.” The key to compliance, then, is ensuring that such anonymisation is effective.

Should we be concerned about staff working remotely?

As organisations look to move towards a remote working model, it is essential that they take steps to address the associated cyber and data security risks. The ICO guidance emphasises that while data protection law does not prevent staff from working from home, suitable data security measures should be in place.

Bearing in mind that the GDPR requires organisations to use “appropriate technical and organisational measures” to protect personal data, organisations should consider reviewing their policies and procedures relating to remote working and ensuring that staff receive necessary training and guidance on both data protection and information security when working remotely. Areas to consider here include:

  • the use of multifactor authentication and encryption;

  • restricting downloads to removable devices (eg USB sticks);

  • checking the security of collaborative working software, such as video conferencing and document sharing tools (have you checked the security information and/or privacy notices of any third party systems or services that your staff are using for the first time, eg Zoom?);

  • raising awareness relating to cyber-attacks and other threats such as phishing emails and fraudulent websites; and

  • the disposal of hard copy documents containing confidential information or sensitive data.

For more detail on working from home and data security, please see this article from our colleagues Ian De Freitas and Thomas Rudkin.

Will the ICO take regulatory action against us?

Consistent with the ICO’s “reasonable and pragmatic” approach to handling sensitive personal information and sharing such information where necessary, the ICO has taken a similar approach to its own role as the UK’s data protection regulator.

While the ICO acknowledges that it cannot extend statutory timescales for responding to data subject access requests and other information rights requests, it recognises that organisations may need to adapt their approach to data protection compliance while they prioritise finances, personnel and other resources elsewhere. The ICO says: We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period and the ICO acknowledges that data subjects may experience “understandable delays when making information rights requests during the pandemic.

However, although such guidance may offer some comfort to organisations at the moment, it should not be taken as an invitation for an organisation to excuse itself from its data protection law obligations altogether.

At the time of writing, the ICO has not published any new enforcement action (eg fines) since the UK went into “lockdown” to try to slow the spread of COVID-19. However, we know that the ICO continues to process a lengthy backlog of enforcement cases and it will continue to receive and process new complaints about data protection compliance failings as normal. So while the ICO’s pragmatism and helpful coronavirus related guidance is comforting to see, we would advise our clients not to let data protection fall off the agenda in the coming weeks and months, and in particular if you have any concerns about data security and working from home, that should be addressed without delay.

If you require further information about anything covered in this briefing, please contact Alan Baker, Lucy Sharp, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, April 2020

This site uses cookies to help us manage and improve the website and to analyse how visitors use our site. By continuing to use the website, you are agreeing to our use of cookies. For further information about cookies, including about how to change your browser settings to no longer accept cookies, please view our Cookie Policy. Click for more info

Back to top