Covid-19 and the GDPR: Let’s stay secure together

Measures that are currently being taken to slow the spread of the global Covid-19 coronavirus pandemic will inevitably cause disruption to most businesses. Whilst compliance with data protection may be the last thing on businesses’ minds during these extraordinary times, it should not completely take a back seat particularly given the significant shift to homeworking.

The UK Information Commissioner’s Office (ICO) recognises the unprecedented challenges we all face and has, in response to the Covid-19 pandemic, relaxed its approach to compliance and enforcement. However, businesses are still very much expected to maintain a good level of compliance with the General Data Protection Regulation (GDPR) whilst adapting to a new way in which they work. The guidance published by the ICO, which we’ve summarised below, is useful to businesses who are concerned about their level of compliance with the GDPR as they adapt to the Covid-19 crisis and provides practical guidance in relation to the steps they should take, particularly around the issue of homeworking and security.

ICO’s guidance

The ICO’s guidance, released on 12 March 2020, focuses on six key compliance issues. It acknowledges the potential need for organisations to share information quickly or adapt the way in which they work at short notice. However, even in these exceptional times, businesses are still expected to act in a transparent and proportionate way in relation to personal data. The key take home message from the ICO is that if something feels excessive from the public’s point of view, then it probably is.

1. Enforcement and deadlines

The ICO has confirmed that it will not penalise businesses in cases where there is a need for resources to be diverted away from usual compliance or information governance work and will take a “reasonable and pragmatic” approach in enforcing data protection obligations.

Whilst the ICO cannot extend statutory deadlines, such as responding to a Data Subject Access Requests, the ICO has recognised that delays may be experienced when making information rights requests requests during the pandemic.

2.  Healthcare organisations contacting individuals about Covid-19

The GDPR and ePrivacy rules do not stop the UK Government, the UK National Health Service or any other health professionals from sending public health messages (including about Covid-19) to people, either by phone, text or email. These messages are not considered direct marketing. However, other businesses who are sending out Covid-19 service related communications should be careful not to include any marketing information within these communications as this could amount to direct marketing which would breach the ePrivacy rules if consent has not been obtained in advance or if those individuals have opted out of receiving direct marketing.

The ICO has further confirmed that data protection laws do not stop the use of the latest technology to facilitate safe and speedy consultations and diagnoses. The guidance recognises that public bodies may require to collect and share additional personal data to protect against serious threats to public health, such as the current pandemic.

A good example of the recent use of technology being employed to help contain the spread of Covid-19 is the UK Government’s use of mobile phone data to report on density and social distancing as well as anonymised travel plans which aim to combat the pandemic in ways that traditional tracking methods may not. Although such measures have raised privacy concerns, the ICO’s view is that use of smartphone location tracking data to help and monitor the spread of Covid-19 does not break privacy laws. This is because general location trend analysis, where properly anonymised and aggregated, is not personal data and does not fall under data protection law because an individual cannot be identified.

3.  Security measures and homeworking arrangements

As a result of the pandemic, employees are now expected to work from home where possible. Data protection law does not prevent homeworking, but businesses must consider the same kinds of security measures for homeworking that they would use in normal circumstances, which will be more difficult to monitor and control than in an office based environment. The ICO has produced a basic guide on data security which can be accessed here.  In addition, employers should consider how its staff access work information and whether that involves a footprint of data being left on the employee’s own device at home or mobile device and how that is controlled.

Video conferencing apps and team communication apps such as ‘Zoom’ and ‘Teams’ are also becoming increasingly popular amongst home workers because they allow employees to collaborate easily and stay connected. However, questions over the security of these apps have been raised and as such, employers are encouraged to carry out a risk assessment to assess whether the use of these tools is appropriate for its business before permitting staff to use them. Whilst the Covid-19 pandemic is changing what we do and how we do it, businesses must remain vigilant to the enhanced security threats during this time.

4.  Informing staff that a colleague may have contracted Covid-19

Employers have an obligation to ensure the health, safety and welfare of its employees. As part of this duty, employers may wish to carry out contract tracing where an employee has tested positive for Covid-19  to prevent the infection spreading further. The ICO has confirmed that businesses can keep staff informed about cases, but should avoid naming individuals where it does not have the consent of the individual to do so and should not provide more information than is strictly necessary.

5.  Collecting health date relating to Covid-19 from employees

Businesses can collect health data from employees, however, in line with the data minimisation principle, they should ensure they do not collect more data than they need and that any data collected in connection with the pandemic is kept safe and secure. Examples of reasonable data collection may include asking employees (and/or visitors) whether they visited a particular country or whether they are experiencing Covid-19 symptoms in order to protect the health, safety and welfare of their workforce. Any information that is no longer needed should be deleted in line with storage limitation principle of the GDPR.

6.  Sharing employees’ health information with authorities

The ICO’s guidance states that data protection law will not stop businesses from sharing information with authorities about specific individuals, although it is unlikely that businesses will be required to do so.

Stay in touch

We will be monitoring guidance from the ICO and new legislation introduced by the Government in relation to data protection and how businesses should operate in relation to the Covid-19 pandemic. Please check back here for further updates. If you have any questions about this subject please contact Nick Phillips or Selina Clifford from the Intellectual Property team.

For an update on all the legal implications relating to Coronavirus please see here.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now