COVID-19 and its implications for data protection compliance
23 March 2020
As COVID-19 panic continues to grip the nation, businesses are grappling with how best to respond to the situation, including considering how to protect their customers, visitors and staff. At the same time, EU data protection regulators are keen to remind us this pandemic does not in and of itself entitle us to relax our approach to data protection compliance; the law is still very much the law. In this article we consider some of the key data protection issues when it comes to dealing with COVID-19.
Each of the major European regulators has now provided a statement on their stance on certain thorny data issues, demonstrating varying levels of tolerance. In the UK, the ICO in its statement has made it clear that its primary concern is, and will remain, the safety and security of the public. It has also confirmed that although organisations are not absolved of their compliance responsibilities, it will adopt a reasonable and pragmatic approach in assessing compliance with the GDPR, taking into account the need for certain organisations to prioritise other areas over data protection compliance during this “extraordinary” period.
This approach has been demonstrated through its balanced stance on a number of compliance-related concerns raised by organisations, which we set out in further detail below:
- Security measures when working from home: With increasing numbers of employees working from home, the ICO has advised companies that whilst data protection law does not prevent this, they should consider implementing the same kinds of security measures for homeworking as would be used in normal circumstances. Such measures could include ensuring all antivirus software is up to date, and encouraging employees to update passwords, lock screens when away, and take steps to secure their home routers. Workers should also receive adequate refresher training on being able to identify and report potential cyber threats. This is more important than ever given the huge increase we are now seeing of cyber attacks from phishing emails to system takeovers, primarily due to the increased working from home arrangements. For more information on the types of security measure you should be implementing please see our article titled Staying secure when homeworking during the coronavirus pandemic.
- Asking individuals about their health or recent travel: The ICO has confirmed that it is reasonable for companies to ask people whether they have visited a particular country or are experiencing COVID-19 symptoms where necessary, such as prior to entering the workplace or a production set, or attending an event. However, organisations should do so in line with the principles of the GDPR and, crucially, should not collect more data than is needed. This last point may be a tricky one for organisations to navigate in practice – how much is too much? In addition, the personal data collected should be protected through appropriate safeguards.
- Disclosing names of affected individuals: In the ICO’s view, an employer may inform its staff that there has been a case (or that there is a suspected case) of COVID-19 in the company, in order to discharge its duty of care to protect the health of its employees. Organisations should, however, consider whether sharing the name of the affected individual(s) is strictly required to protect the well-being of others. Access to an employee’s personal data, particularly in relation to their health, should be restricted to a “need-to-know” basis. Conversely, the ICO has confirmed that data protection law does not prevent companies with sharing information about specific individuals, including names, with public authorities in certain circumstances.
- Responding to rights requests: Whilst it has been clear that it cannot amend statutory deadlines, the ICO has suggested that it is unlikely to take action if organisations process requests more slowly than usual due to resource limitations stemming from COIVD-19. It has also stated that it will proactively utilise its communication channels to inform data subjects that they may experience understandable delays when exercising their information rights at this time.
- Messages about public health: The ICO has confirmed its view that data protection laws do not prevent the Government, NHS, and any other health professionals from sending public health messages to people, whether by phone, text, or email, provided they do not constitute direct marketing.
Although not specifically raised by the ICO in its statement, we set out below other issues we see routinely coming up, and of which organisations should be mindful.
- Asking individuals to submit to health checks: Although the ICO has yet to adopt a view on this publicly, the Italian Government has agreed a protocol enabling employers to require employees to submit to temperate checks. This has forced the Garante, the Italian data protection authority, to change its stance on this position, as a lawful basis now exists. It will be interesting to see if the UK follows suit.
- Monitoring employees at home: There is increasing concern that employers wanting to ensure that working from home does not negatively impact productivity will seek to deploy ‘creepy’ monitoring techniques without taking the appropriate lawful steps to assess the privacy risk and/or comply with their other data protection obligations (such as transparency). The message from the ICO on this point is that we need to be able to trust our employees, and we should be looking to avoid overly ‘creepy’ techniques particularly where there are other more proportionate measures available to monitor productivity.
- Using COVID-19-related communications as a marketing tool: Organisations need to be mindful of using the opportunity to communicate to customers about what they are doing to tackle COVID-19 as a way of promoting their own business. The ICO Direct Marketing Guide is clear that, pursuant to Regulation 22 of the Privacy and Electronic Communications Regulations 2003, if an organisation intends to send electronic communications for direct marketing purposes (now a very widely construed term), it should have the individual’s prior consent to do so (unless the organisation is relying on the soft opt-in exemption). Even if the primary purpose of the communication is to communicate an organisation’s strategy to deal with COVID-19, if any element of the communication is seen to be for direct marketing purposes, organisations should ensure that they have appropriate permissions prior to sending such communications.
- Ensuring transparency in relation to COVID-19 data processing: Many businesses are collecting and using health data to respond to the on-going crisis in new ways that will go beyond what is stated in their current privacy notices. It is important that organisations remain clear with data subjects as to what data they are collecting and how this data will be used and shared. We recommend that a specific privacy notice is issued on data collection in relation to COVID-19 in order to comply with the transparency principle.
Ultimately, whilst the ICO has taken a pragmatic and balanced approach to the application of data protection law in the wake of this pandemic, the principles of data protection law still reign supreme.
Organisations should continue to be conscientious when collecting and processing personal data, including by prioritising data minimisation, appropriate security measures, and transparency. As always, businesses should also ensure that they have the requisite policies and procedures in place, whether notices to employees, or intra-group data-sharing agreements.
Above and beyond this, they should continue to keep calm and (compliantly) carry on.
Covid 19 - Coronavirus
Our advice on responding to the coronavirus outbreak.