What approach are the regulators taking?
In some other countries, the approach has been to adopt emergency legislation, For example, in Italy, individuals in certain transmission risk categories are now required to notify health authorities. Some regulators have given very clear guidance; for example, in New Zealand, it will not be “a breach of the Privacy Act for any accommodation provider or tourism operator to notify a medical officer or police officer of someone noncompliant with self-isolation obligations” said John Edwards, its Privacy Commissioner.
So what about the UK, where we remain bound by the GDPR?
The Information Commissioner’s Office (ICO) is responsible for regulating data protection compliance in the UK, and recently issued a Statement on COVID-19 with further guidance on data protection and coronavirus.
The ICO’s Statement notes that the ICO is a “reasonable and pragmatic regulator” and “…one that does not operate in isolation from matters of serious public concern.” This helpfully suggests that ICO’s approach to regulation for the UK will be practical and proportional during these difficult times.
The European Data Protection Board (EDPB) has also issued a Statement on the processing of personal data in the context of COVID-19 and made clear that, even in these exceptional times, both controllers and processors must ensure the protection of personal data.
So, in summary, data protection compliance remains important, but the UK’s regulator is being mindful that resources might be diverted away from usual data protection compliance work during these times and has confirmed that it will not penalise organisations that the ICO knows need to prioritise other areas or adapt their usual approach during this extraordinary period. But just what does that mean in practice for your business, such pragmatism does not equate to blatant non-compliance?
Some highlights from the ICO’s guidance
Here are some of the highlights from the ICO’s guidance:
1. The ICO cannot extend statutory timescales but will inform people that may experience ‘understandable’ delays when making information rights requests during the pandemic
The ICO has not expressly outlined what statutory timescales it is referring to but the reference to ‘making information rights requests’ suggests that this is a reference to data subjects’ rights under the data protection laws, including for example, DSARs. Timescales cannot be extended but the ICO seems open to explaining delays to affected data subjects.
2. Organisations can inform staff of cases of COVID-19 within their organisations, but remember that individuals probably do not need to be named and only necessary information should shared
The ICO recognises that employers have a duty to ensure the health and safety of their staff and this may mean keeping staff up-to-date on any virus concerns within the organisation. However, organisations must always consider what personal data, if any, actually needs to be shared.
3. Proportionality remains key when collecting health data
The ICO reminds organisations to respect the data minimisation principle and to only collect personal data and health data that is actually needed. Helpfully, the ICO confirms that it is reasonable to ask staff and visitors to inform your organisation if they have visited a particular country, or are experiencing COVID-19 symptoms.
4. Organisations need to consider appropriate security measures for home working
All of us who can work from home are now doing so, but what does this mean for data protection compliance?
The data protection laws have never prevented remote or flexible working, and the ICO’s guidance supports this position while reminding organisations of the importance of ensuring security of personal data during remote working. Here are some top-tips:
- Remind staff of the organisation’s relevant remote working policies and practices.
- Remind staff that papers should be safely retained until staff can return to the office and dispose of papers securely and in the usual way.
- Cyber threats are unfortunately on the increase during these times, and organisations should continue to raise awareness on phishing techniques and other common cyber security threats.
- Staff should be reminded that the organisation’s data needs to be held and stored in the organisation’s network or other approved environments.
Helping and supporting your business
We are here to help organisations through these difficult times. Please contact a member of our Data Protection team if you have any data protection queries.