In light of the ongoing Coronavirus (COVID-19) pandemic, the ICO has today issued guidance on “Data protection and coronavirus: what you need to know” for data controllers. The ICO has also published advice for healthcare practitioners. Guidance has also been issued by many other Data Protection Authorities in other European countries.
The ICO comments that data protection considerations will not prevent employees from sharing information or adapting the way employees work. However, in the ICO’s view, an organisation’s approach should be proportionate, taking into account the compelling public interest in the current situation. The statement also seeks to address certain specific questions:
- Collection of health data: The ICO is clear that whilst employers have an obligation to protect an employee’s health, this doesn’t provide an unlimited ability to collect excessive volumes of information. They do consider it reasonable, however, to ask people to tell you if they have visited a particular country or are experiencing COVID-19 symptoms. Taking approaches which minimise the amount of information an organisation needs to collect is likely the best practice (i.e., asking visitors to consider government advice before they decide to visit or advising staff to call 111 if they experience symptoms or have visited particular countries). If, after taking these measures, an organisation still needs to collect specific health data, the ICO confirms that ongoing data minimisation and information security to protect this sensitive category of data will be paramount. The ICO’s current statement does not give guidance on the appropriate legal grounds under the GDPR for processing personal data including health data in this context.
- Employee notification: The ICO acknowledges that employers have an obligation to ensure the health and safety of employees, as well as a duty of care. Ultimately, it appears that you can tell staff that a colleague may have potentially contracted COVID-19, but it is unlikely you will need to name specific individuals, and organisations should not provide more information than necessary.
- Governance and rights request responses: The ICO guidance comments that it will not penalise organisations where resources have been diverted from compliance or information governance work. Whilst the timescales prescribed by the GDPR for responding to rights requests cannot be extended, the ICO plans to make clear as part of its future communications that individuals may experience understandable delays when making requests at this time.
The ICO’s statement also makes clear that data protection law does not prevent the following activities:
- Healthcare communications: Data protection and electronic communication laws do not prevent healthcare professionals or official bodies sending public health messages to individuals. These types of communications are not direct marketing.
- Remote working. The ICO is clear that organisations should consider the same types of security measures as would be used in normal circumstances for remote or home working.
- Sharing employee health data with authorities for public health purposes. Whilst the ICO acknowledges that sharing the details of specific individuals with authorities is unlikely, if it is necessary, data protection law will not be a barrier to this sharing.