A statement recently published by the ICO confirms its understanding that the processing of personal data may be affected by the needs of an organisation when addressing the impact, and attempting to limit the spread, of the coronavirus (Covid-19) pandemic.
This will give some comfort to organisations who may need to share information quickly, where, for example, employers need to share information with healthcare authorities or to enable remote working, or within the healthcare sector where the timely sharing of information is required to administer treatment and to maintain open communications during this challenging time.
Public health messages can be sent using electronic means without them constituting direct marketing, and other technologies can be used to facilitate consultations and diagnoses. It is also reasonable for organisations to request information as to a country a person has visited, or if a person is displaying any Covid-19 symptoms.
Keep staff informed
Health and safety obligations enable an employer to keep staff informed about cases or potential cases of Covid-19 within its organisation provided it does not disclose employee names or provide more information than is necessary.
Security measures
In all cases, organisations must be mindful of collecting more information than required and ensuring appropriate security measures are implemented with respect to such processing.
Proportionality, therefore, continues to be the prevalent consideration in any processing activity, the message from the ICO being that ‘if something feels excessive from the public’s point of view, then it probably is’.
As to other processing activity, a delay in complying with, say, responding to an individual’s rights request, is unlikely to attract any penalties where there is a need for the organisation to prioritise other areas, although statutory timescales will not be relaxed.
Conclusion
The concluding message is that data protection legislation will not prevent an organisation managing the impact of Covid-19 on its business, but it should continue to bear in mind the principles under the legislation and pay particular attention to the security of the data concerned.
