The Information Commissioner’s
Office (ICO) has recently set up an information hub on its web site (https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/) giving
helpful guidance on data protection compliance in these difficult times.
Organisations may be concerned
that they are no longer meeting their usual standards of data protection
compliance because resources are being necessarily diverted elsewhere. The ICO
has confirmed that it “won’t penalise
organisations that we know need to prioritise other areas or adapt their usual
approach during this extraordinary period.” Whilst the ICO is unable to
extend the statutory time limits which apply to subject access requests (SARs)
and other data protection rights of individuals, it will tell people that they
may experience delays.
COVID-19 does not mean that
organisations can ignore data protection legislation. You should still try to
comply as much as possible. Keep a record of decisions made and the reasons for
them, in case of scrutiny afterwards. You should continue to try to respond to
SARs keeping individuals informed and updated on the response and likely
measures for homeworking
The ICO confirms that data
protection law does not prevent home working or staff from using their own
device or communications equipment. However, the same kinds of security
measures are needed as are used in normal circumstances.
you tell staff that a colleague may have contracted COVID-19?
Organisations should keep
staff informed about cases, but individuals should not be named. The ICO states
you should only disclose necessary information as required to satisfy your
health and safety obligations and duty of care to staff.
you collect COVID-19 information from employees or visitors?
You have an obligation to
protect employees’ health but that this does not mean you can collect lots of
information about them. The ICO suggests asking people to tell you if they are
experiencing COVID-19 symptoms, advising staff to call 111 if that is the case
and asking visitors to consider government advice before they decide to come.
If specific health data is still needed then only collect what is necessary and
ensure it is appropriately safeguarded. This includes keeping it secure and
restricting access to it on a “need to know” basis.
you share employees’ health information with the authorities for public health
Yes, although the ICO
considers it unlikely that you will need to share information about specific
This crisis has demonstrated
community altruism and groups are springing up to help the vulnerable and those
self-isolating. The ICO has a dedicated blog on its web site for these groups.
We understand that there are
data protection challenges in this time of crisis. If you require any further
information or assistance in complying with data protection obligations please
contact our specialist data protection team:
Amy Chandler, Partner, email@example.com
Patricia Jones, Consultant, firstname.lastname@example.org
Danielle Amor, Senior Associate,