Mar 122020

ICO Issues Data Protection and Coronavirus Guidance

William RM Long and Eleanor Dodding
, , , , ,

In light of the ongoing Coronavirus (COVID-19) pandemic, the ICO has today issued guidance on “Data protection and coronavirus: what you need to know” for data controllers. The ICO has also published advice for healthcare practitioners. Guidance has also been issued by many other Data Protection Authorities in other European countries.

The ICO comments that data protection considerations will not prevent employees from sharing information or adapting the way employees work. However, in the ICO’s view, an organisation’s approach should be proportionate, taking into account the compelling public interest in the current situation. The statement also seeks to address certain specific questions:

  • Collection of health data: The ICO is clear that whilst employers have an obligation to protect an employee’s health, this doesn’t provide an unlimited ability to collect excessive volumes of information. They do consider it reasonable, however, to ask people to tell you if they have visited a particular country or are experiencing COVID-19 symptoms. Taking approaches which minimise the amount of information an organisation needs to collect is likely the best practice (i.e., asking visitors to consider government advice before they decide to visit or advising staff to call 111 if they experience symptoms or have visited particular countries).  If, after taking these measures, an organisation still needs to collect specific health data, the ICO confirms that ongoing data minimisation and information security to protect this sensitive category of data will be paramount. The ICO’s current statement does not give guidance on the appropriate legal grounds under the GDPR for processing personal data including health data in this context.
  • Employee notification: The ICO acknowledges that employers have an obligation to ensure the health and safety of employees, as well as a duty of care.  Ultimately, it appears that you can tell staff that a colleague may have potentially contracted COVID-19, but it is unlikely you will need to name specific individuals, and organisations should not provide more information than necessary.
  • Governance and rights request responses: The ICO guidance comments that it will not penalise organisations where resources have been diverted from compliance or information governance work. Whilst the timescales prescribed by the GDPR for responding to rights requests cannot be extended, the ICO plans to make clear as part of its future communications that individuals may experience understandable delays when making requests at this time.

The ICO’s statement also makes clear that data protection law does not prevent the following activities:

  • Healthcare communications: Data protection and electronic communication laws do not prevent healthcare professionals or official bodies sending public health messages to individuals. These types of communications are not direct marketing.
  • Remote working. The ICO is clear that organisations should consider the same types of security measures as would be used in normal circumstances for remote or home working.
  • Sharing employee health data with authorities for public health purposes. Whilst the ICO acknowledges that sharing the details of specific individuals with authorities is unlikely, if it is necessary, data protection law will not be a barrier to this sharing.

You can find a full version of the ICO’s guidance in our update on Coronavirus Risks – U.S. and European Employment and Privacy Law Issues here.

William RM Long

London

wlong@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).