Protecting Personal Data in a Pandemic: GDPR Meets COVID-19 - Part 2

Privacy & Cybersecurity Newsletter
November 2020


The Covid-19 pandemic brings a sharp focus to the difficult balance that GDPR strikes between the rights of individuals and society as a whole.

In these unprecedented times, how will EU and UK data protection authorities deal with data protection and privacy, in the light of serious concerns around both health and the economy?

Fortunately, we have the benefit of a set of guidance notes from the UK Information Commissioner’s Office (“ICO”), while the European Data Protection Board has issued detailed guidelines for test and tracing apps.

We summarized five ICO guidance notes in Part 1 of this article, in our July newsletter. In this Part 2 we summarize the remaining guidance, some updates to the previous guidance and the EDPB guidelines. References to GDPR are to both the EU and the UK GDPR.

Further ICO Guidance

1. Updated Regulatory Approach during Coronavirus1

The ICO has updated its regulatory approach guidance since the summer. The broad thrust remains that the ICO claims to understand that organizations are operating in challenging times and will adjust its regulatory approach accordingly, while acknowledging the important role of people’s information rights.

Against this background it commits to:

  • recognize that confidence in how personal data is used and safeguarded is a key factor in public willingness to engage with initiatives to tackle the spread of coronavirus
  • focus on the most serious risks and greatest threats
  • assist organizations by providing guidance on meeting their obligations in response to new requirements 
  • take firm action against people exploiting the pandemic through nuisance calls or misusing personal information – on 8th October the ICO trumpeted a £40,000 fine it issued to a company sending spam emails selling face masks
  • be flexible, taking into account the potential economic or resource burden its actions could place on organizations, particularly those engaged in tackling the pandemic or supporting vulnerable people
  • provide effective support to businesses and public authorities
  • keep its approach to complaints handling under regular review

Notably, the ICO no longer acknowledges the pandemic’s impact on the 72-hour deadline for data breach reporting. However, it will consider generally whether non-compliance results from the pandemic and may give organizations longer than usual to rectify breaches, where the pandemic has impacted the ability to put things right. The ICO also maintains its previous stance on reducing the level of fines.

2. Contact Tracing

As part of the UK’s anti-Coronavirus regime, organizations offering hospitality, tourism, leisure and close contact services have to collect personal data on customers, visitors and staff for contact tracing purposes.

The ICO gives those organizations the following guidance:

  • the data collected must not go beyond the individual’s name and contact details and the time of visit or shift
  • they must explain to each individual why they are collecting that data and that it will be used for contact tracing
  • the data collected must be kept securely and generally only for 21 days
  • the data must be used only for track and tracing and not used for other purposes, such as direct marketing, profiling or analysis – it should only be shared with legitimate public health authorities.

Full details can be found here. More detailed advice is also available for organizations unaccustomed to handling personal data here.

3. Coronavirus Recovery

The ICO provided guidance in the form of six key steps for organizations collecting additional personal data to provide a safe environment for staff, namely:

  • only collect and use health data if genuinely necessary to help provide a safe environment
  • keep the information you collect to a minimum
  • be clear and open with staff about your use of their data
  • decisions based on health information must be fair
  • hold the data securely and delete it when no longer needed
  • inform staff of, and let them exercise, their rights of access to the data and rectification

Full details are available here.

There is additional guidance for organizations carrying out their own symptom checking or testing, see Part 1 of this article under Workplace Testing – guidance for employers and the ICO website.

4. Surveillance

This guidance covers the use of surveillance to monitor whether employees are observing coronavirus prevention measures or to monitor contract tracing.

Such surveillance is permitted, but only if needed and proportionate for health and safety, and if there is no less intrusive way to achieve the same result. The ICO has a template which can be used to help determine the answers to these questions.

Organizations practicing surveillance must post clear notices of what is being done and why. They must then regularly review their need for and methods of surveillance.

While monitoring whom individuals come into contact with is not prohibited, it appears to require more sensitive treatment, which may include speaking to affected individuals and advising them on self-isolation. The guidance is equivocal on this issue and not particularly helpful.

Further detail from ICO is available here.

5. Case Studies

This guidance consists of four case studies, covering subject-matter such as employers who wish to ask employees to complete coronavirus symptom questionnaires and cafés who manually collect track and test data.

It sets out the issues to consider and approach to take in each scenario.

6. Covid Tracing Apps – ICO and EDPB Guidelines

On 13th October, the ICO’s blog reported on the advice and guidance it had given all four UK administrations to ensure that the NHS and other official Covid apps were designed to take account of data protection rights.

No doubt this advice was consistent with the Guidelines issued in April by the European Data Protection Board (EDPB) on contact tracing apps.

These Guidelines are fairly lengthy, at 19 pages including a useful analysis guide. In brief, they recommend:

  • that data processed should be reduced to a strict minimum and should not collect other information such as messages, call logs, location data and device identifiers
  • the data broadcasted by the app must only include unique and pseudonymous identifiers, specific to the app
  • the data must be renewed at a frequency compatible with containing the virus and sufficient to limit the risk of identification and physical tracking of individuals
  • both a centralized and decentralized approach are viable, so long as there is adequate security – the conceptual phase of app development should carefully weigh up the effects on data protection and the possible impacts on individual rights
  • any server must only collect the contact history or pseudonymous identifiers of an infected user, diagnosed following proper assessment and voluntary action of the user
  • the server must keep the above information only for the time needed to inform potentially infected users of their exposure, and should not try to identify potentially infected users
  • if a global contact tracing methodology requires additional information to be processed, it should remain on the user terminal and only be processed when strictly necessary and with prior specific consent
  • state-of-the-art cryptographic techniques must be implemented to secure the data and mutual authentication between the application and the server must be performed
  • reporting infected users must be subject to proper authorization, for example via a single-use code tied to a pseudonymous identity and linked to a test station
  • the data controller and public authorities must clearly identify the download link for the official national contact tracing app, to reduce the risk of use of a third-party app.

The EDPB concludes:

“one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights: we can achieve both, and moreover data protection principles can play a very important role in the fight against the virus. European data protection law allows for the responsible use of personal data for health management purposes, while also ensuring that individual rights and freedoms are not eroded in the process.”


The official guidance is wide-ranging and useful. Organizations which intelligently follow its approach should find themselves in a strong position with regard to compliance with these complex laws.