As the COVID-19 pandemic continues to spread and “business continuity” becomes increasingly important at an uncertain time for all organisations, data protection may not at present be your principal concern. The ICO has acknowledged this necessary shift in focus and priorities, publishing guidance on a range of data protection issues that the pandemic has given rise to, and gathering that guidance in a centralised “Data protection and Coronavirus information hub” on the ICO’s website, found here. The guidance recognises the unprecedented circumstances in which both data controllers and data subjects must now operate and reassures organisations that “The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern”.
That said, it remains essential that the personal data of individuals remains protected. In this article we look to answer some of the questions you might have about your organisation’s data protection law compliance at this uncertain and unsettling time.
Can we collect information relating to the health of our staff?
“Have you been on holiday to an affected region? Are you displaying Coronavirus symptoms? Do you have any specific health conditions that make you particularly vulnerable? Have you come in to contact with anyone displaying Coronavirus symptoms?” These are the questions being asked today by businesses and employers on a daily basis.
Under the GDPR, information relating to an individual’s health or personal life is regarded as “special category data”. Such data requires careful handling, and often the individual’s explicit consent to processing. However, there are other lawful grounds for using such data, such as the protection of staff, visitors and the wider community.
The ICO has emphasised that the collection of personal data relating to an individual’s health should, even in today’s circumstances, be treated with caution. Organisations should not collect more information than is necessary, and any such information should be protected with appropriate safeguards.
Can we share that information?
The ICO has also indicated that the disclosure of such personal information, for example to other staff within an organisation, should be treated with caution; while you can tell other staff that “a colleague” has tested positively for COVID-19, the ICO suggests that organisations need not name the individuals concerned or provide more information to their colleagues than is necessary to protect the health and safety of their staff.
As to whether organisations can share health information relating to their staff with the authorities, data protection law does not prevent this where the sharing of such information is for public health purposes. Indeed, sharing such information, provided that the level of information shared is proportionate and reasonable, may well help the authorities tackle the Coronavirus outbreak.
Major mobile networks, for example, are sharing information including phone location and usage data to monitor whether pandemic limitation measures such as social distancing are working effectively. The ICO has commented on this, saying: “Generalised location data trend analysis is helping to tackle the Coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified. In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place.” The key to compliance, then, is ensuring that such anonymisation is effective.
Should we be concerned about staff working remotely?
As organisations look to move towards a remote working model, it is essential that they take steps to address the associated cyber and data security risks. The ICO guidance emphasises that while data protection law does not prevent staff from working from home, suitable data security measures should be in place.
Bearing in mind that the GDPR requires organisations to use “appropriate technical and organisational measures” to protect personal data, organisations should consider reviewing their policies and procedures relating to remote working and ensuring that staff receive necessary training and guidance on both data protection and information security when working remotely. Areas to consider here include:
- the use of multifactor authentication and encryption;
- restricting downloads to removable devices (eg USB sticks);
- checking the security of collaborative working software, such as video conferencing and document sharing tools (have you checked the security information and/or privacy notices of any third party systems or services that your staff are using for the first time, eg Zoom?);
- raising awareness relating to cyber-attacks and other threats such as phishing emails and fraudulent websites; and
- the disposal of hard copy documents containing confidential information or sensitive data.
Will the ICO take regulatory action against us?
Consistent with the ICO’s “reasonable and pragmatic” approach to handling sensitive personal information and sharing such information where necessary, the ICO has taken a similar approach to its own role as the UK’s data protection regulator.
While the ICO acknowledges that it cannot extend statutory timescales for responding to data subject access requests and other information rights requests, it recognises that organisations may need to adapt their approach to data protection compliance while they prioritise finances, personnel and other resources elsewhere. The ICO says: “We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period” and the ICO acknowledges that data subjects may experience “understandable delays when making information rights requests during the pandemic”.
However, although such guidance may offer some comfort to organisations at the moment, it should not be taken as an invitation for an organisation to excuse itself from its data protection law obligations altogether.
At the time of writing, the ICO has not published any new enforcement action (eg fines) since the UK went into “lockdown” to try to slow the spread of COVID-19. However, we know that the ICO continues to process a lengthy backlog of enforcement cases and it will continue to receive and process new complaints about data protection compliance failings as normal. So while the ICO’s pragmatism and helpful coronavirus related guidance is comforting to see, we would advise our clients not to let data protection fall off the agenda in the coming weeks and months, and in particular if you have any concerns about data security and working from home, that should be addressed without delay.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2020