Data protection in the time of coronavirus
During this pandemic both the ICO and the European Data Protection Board (EDPB) have issued statements reassuring data controllers that data protection law does not impose a constraint on taking steps to contain and mitigate COVID-19.
Protecting public health is a matter of substantial pubic interest and a legitimate purpose recognised by the GDPR, justifying the use of personal data, including health data, in order to achieve that purpose. There is therefore no need to obtain consent to use individuals’ personal data in those circumstances.
The EDPB and the ICO, however, have indicated that the principle of proportionality continues to apply to any use of individuals’ personal data even in the context of a pandemic. This means that the use of personal data must go no further than reasonably required to protect staff, students and the public – the least intrusive means must be used.
In the context of employment, the processing of personal data may be necessary for compliance with a legal obligation to which institutions are subject, such as complying with health and safety at work legislation, or for taking steps in the public interest, such as the control of diseases and other threats to health. Discharging that duty may require keeping staff informed of cases of COVID-19 at the institution.
Not all employees however will need to know the names of those affected. A similar approach would apply to students who remain on campus. It is also likely to be reasonable to ask staff and students who have to come onto or remain on campus if they are experiencing COVID-19 symptoms.
The majority of staff will be working from home during this crisis, many using their own laptops and other devices. The volume of staff doing so may increase the vulnerability to security breaches, in particular where the data is not stored on an institution’s own IT network. IT staff should keep under review the resilience of their institution’s systems and refer staff to the institution’s IT/acceptable use policies.
Staff will also have to share the working environment with other family members. Staff should be reminded that they should take all reasonable steps within the constraints of their households to maintain the confidentiality of work-related data. Practical tips could include ensuring that computer screens are not visible to others and that printing of documents is kept to an absolute minimum.
Finally, the ICO has indicated that while it cannot extend time limits for fulfilling individuals’ rights, such as access, it will not penalise organisations that need to prioritise other areas of their business or adapt their usual approach during the crisis. While this is not a licence to disregard subject access requests altogether, it does mean that if resources are genuinely stretched, institutions will be able to delay responses beyond the deadline. The data subject should be kept informed from the outset to minimise the potential for complaint. If a complaint is made, institutions should ensure that they are able to provide plausible accounts to the ICO of why the time limits could not be complied with.
Shakespeare Martineau has launched a free legal helpline, with a team of experts on hand for any queries on family and private matters. We are also offering bespoke guidance on a range of other subjects, from employment and general business matters, through to director’s responsibilities, insolvency, restructuring, funding and disputes. Available from 10am-12pm Monday to Friday, call 0800 689 4064.
General advice in relation to COVID-19 can be found on our dedicated coronavirus resource hub.