The UK’s Information Commissioner’s Office has, over the course of this week, published various notes of advice and blog posts to organisations and data subjects in respect of the coronavirus (COVID-19) pandemic.
The overarching message in its data protection guidance for organisations is a measured one: the ICO recognises the unprecedented challenges facing organisations and individuals, and that resources (whether finances or people) may be diverted away from usual compliance or information rights work. Whilst statutory timescales cannot be extended, the ICO emphasises that it will not be penalising organisations for prioritising other areas or adapting their usual approach during this extraordinary period.
However, whilst recognising that organisations may need to share information quickly or adapt the way they work, the ICO does emphasise the continued need for proportionality in the actions they take, noting that if something feels excessive from the public’s point of view, it probably is.
On some of the key issues addressed, the ICO makes the following remarks:
- Collecting employee health data in
respect of COVID-19. Employers
have an obligation to ensure the health and safety of their employees, as well
as a duty of care. However, this does not necessarily mean employers need to
gather lots of personal data (and in particular health data) about their staff.
It is reasonable to ask staff if they have visited a particular country or are
experiencing COVID-19 symptoms, but organisations should consider carefully
whether a valid legal basis exists for processing more than that. If specific
health data is required, organisations should ensure that what is collected is
kept to a minimum and treated with appropriate safeguards.
- Disclosing cases of COVID-19 within
the organisation. Similarly,
whilst employers should keep staff informed about cases of COVID-19 within
their organisations, it is unlikely to be necessary to name the individuals
concerned, and organisations should ensure they do not provide more information
than is necessary. Likewise, it is unlikely that organisations will be required
to share information with authorities in respect of specific individuals; but
if it is necessary to do so, data protection law will not prevent this.
- Homeworking. Data protection is not a barrier to increased and different types of
homeworking. During the pandemic, staff may need to work from home more
frequently than usual and use their own devices and/or communications
equipment. However, organisations should consider the same kinds of security
measures for homeworking that would be used under normal circumstances, in
order to ensure continued compliance with their security obligations under the
GDPR.
The ICO’s data protection guidance for organisations is consistent with its update to data subjects. In particular, it alerts data subjects to the fact that (i) they may be asked to give their employers and other organisations details about their health condition and recent travel, and that where they consider this excessive, they should speak to the organisation involved; (ii) their employers may need to tell their colleagues if they become ill with coronavirus, however this does not mean that their name need be disclosed; and (iii) they should expect delays in organisations’ responses to data subject access requests during the pandemic as resources are diverted to address other challenges.
The advice issued by the ICO is considered but does not outline all considerations organisations will need to bear in mind in addressing GDPR compliance during the pandemic. Whilst it is clear that the ICO will take a measured approach to enforcement during this time, it does not mean that organisations can take their feet off the compliance pedal entirely. Organisations should ensure they give consideration to the prioritisation of their compliance programmes (and elements within them) and document their decision-making processes, including through the use of data protection impact assessments and/or legitimate interest assessments where appropriate, to ensure proportionality in their processing and associated decision-making.
Please email cdp@cooley.com if you have any questions. For additional information and guidance, please refer to Cooley’s Coronavirus Resources page. To sign up to receive Cooley’s c/d/p blog updates, visit cdp.cooley.com.