Introduction
The COVID-19 pandemic brings a sharp focus to the difficult balance that the GDPR seeks to strike between the rights of individuals and society as a whole.
In these unprecedented times, how will the data protection authorities deal with the issue of data protection and privacy, in the light of grave concerns around both health and the economy?
Fortunately, we have the benefit of a series of guidance notes from the UK Information Commissioner’s Office (ICO), while the European Data Protection Board has issued detailed guidance for test and tracing apps.
In this article, which is in two parts, we summarize that guidance. References to GDPR are to both the EU Regulation and the UK’s Data Protection Act 2018. Part 2 of this article will be published later.
ICO Guidance
The ICO has published around 10 guidance notes and blogs, both broad and specific, covering a wide range of topics. You can access the ICO guidance here. Part 1 of this article covers the first five of these.
- Data Protection and Coronavirus – What You Need to Know
In this, the broadest guidance, the ICO first reassures organisations that data protection law does not stop them sharing in-formation quickly where needed, subject to the principle of proportionality.
The note goes on to recognize that organisations might need to divert resources from their usual data protection work and states that the ICO will not penalize them where they need to prioritize other areas during this period.
The guidance concludes with a promise to inform people that they may experience understandable delays when making information rights requests during the pandemic, although it cannot formally extend statutory timescales. It then directs readers to guidance on its regulatory approach, described next.
- Regulatory Approach During Coronavirus
The guidance note on the ICO’s regulatory approach guidance adds detail to its general statement about not penalizing organisations. It emphasizes that the ICO will take account of the circumstances, such as staff and capacity shortages and the severe front-line pressure on public authorities in taking action.
Equally, it points out that information rights continue to have an important role, while acknowledging that the nature of data protection law confers flexibility, containing checks and balances to ensure personal information can flow and be effectively utilized for healthcare, apps and research projects.
The ICO commits to an “empathetic, pragmatic, proportionate” approach, including:
- investigating only the most serious cases;taking firm action against people who exploit the pandemic by misusing personal data;
- acknowledging the pandemic’s impact on the 72-hour deadline for breach reporting;
- reducing use of its powers to require evidence and allowing longer to respond;
- taking account of whether breaches result from the crisis in deciding whether to issue fines;
- reducing the level of fines as a result of economic impact on their affordability; and
- suspending actions relating to information requests.
- Health, Social Care Organisations and Coronavirus – What You Need to Know
The third important guidance note is aimed at health and social care organisations. It particularizes the ICO’s general guidance, observing that data protection laws do not stop Government, the NHS or other health professionals from sending public health messages to people by phone, text or email. Nor do they stop them from using technology to facilitate consultations and diagnoses.
The ICO then pats itself on the back, declaring itself "a reasonable and pragmatic regulator," which will place the safety and security of the public first with regard to data protection compliance.
- Data Protection and Working from Home
The fourth guidance note covers home-working during the crisis. The ICO remarks that data protection is not a barrier to this but spells out the need for organisations to consider the security implications, and take measures equivalent to those they would use in normal circumstances.
The guidance contains a useful security checklist, including features on BYOD and video conferencing.
Organisations would be well advised to read this, since data security is one of the key principles of GDPR and poor security is the most common reason for fines.
- Workplace Testing – Guidance for Employers
As the lockdown begins to ease across the world and personnel return to work, this guidance note is timely.
The ICO advises that data protection law does not prevent employers taking the necessary steps to keep staff and the public safe and supported during the pandemic. Nevertheless, it does require them to be responsible with people’s personal data and ensure they handle it with care.
The guidance focuses on "return to work" tests to check whether staff have COVID-19 symptoms. Such tests involve pro-cessing health data, classed as "special category data" under GDPR due to its sensitivity, and requiring even more careful protection.
Private organisations have first to be satisfied they need to carry out such tests to satisfy employment law, i.e. their health and safety at work obligations as employers.
Employers must then demonstrate compliance throughout the process, ranging from additional record keeping to collecting only the minimum amount of information needed. For example, requiring information about the result of a test only, rather than additional details about underlying conditions. Employers must also record the date of test results to avoid holding out-dated and therefore inaccurate personal data.
Where employees test positive, this information can be retained, securely and subject to a duty of confidentiality. However, this must not result in any unfair or harmful treatment.
Transparency is equally important. Employers must be clear and honest with employees, explaining what they intend to do with the results before testing.
Other staff should be informed about potential or confirmed COVID-19 cases among their colleagues, but without naming individuals if possible. The information can also be shared with authorities for public health purposes, or the police where necessary and proportionate.
Part 2 of this article, covering some more guidance from the ICO and the EDPB Guidelines on track and tracing apps, will be published later.