Insights

Our thoughts on the latest developments in our specialist sectors and services.

COVID-19: ICO publishes guidance on data protection compliance

19 March 2020

The ICO has published helpful guidance on its expectations for compliance with data protection law during the Coronavirus (COVID-19) pandemic.

The main points to note are:

Meeting statutory deadlines

The ICO has confirmed that it will not take regulatory action against organisations which do not meet their usual data protection practices where this is a result of the coronavirus pandemic. It stated: “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.”

Organisations should note, however, that the ICO does not have the power to set aside the usual one month deadline for responding to information rights requests, such as data subject access requests. For the time being, the usual deadlines still apply and organisations should aim to meet these.

Advice for employers

The ICO has stated:

  • Data protection law does not prevent staff from working from home, but employers should ensure that appropriate security measures are in place which would be used in normal circumstances. In light of this guidance, it may be prudent to remind staff about data security policies in place for agile working in order to ensure compliance.
  • Employers can inform staff that a colleague may have contracted COVID-19. This is in line with their health and safety obligations. However, employers should avoid naming individuals or providing more information than is necessary to keep your colleagues informed.
  • It is reasonable to ask employees and visitors whether they have any symptoms or have visited a particular country.
  • Data protection law does not prohibit organisations from sharing employees’ health information with authorities for public health purposes.

Points for healthcare organisations

Data protection law does not prohibit the Government and healthcare organisations, such as public authorities and GP clinics, from sending public health messages.

Further advice

For advice and guidance on responding to Data Protection issues during this time our Data Protection and Employment Lawyers remain on hand to help.

Back to blog

Share this page