The ICO has published helpful guidance on its expectations for compliance with data protection law during the Coronavirus (COVID-19) pandemic.
The main points to note are:
Meeting statutory deadlines
The ICO has confirmed that it will not take regulatory action against organisations which do not meet their usual data protection practices where this is a result of the coronavirus pandemic. It stated: “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.”
Organisations should note, however, that the ICO does not have the power to set aside the usual one month deadline for responding to information rights requests, such as data subject access requests. For the time being, the usual deadlines still apply and organisations should aim to meet these.
Advice for employers
The ICO has stated:
- Data protection law does not prevent staff from working from home, but employers should ensure that appropriate security measures are in place which would be used in normal circumstances. In light of this guidance, it may be prudent to remind staff about data security policies in place for agile working in order to ensure compliance.
- Employers can inform staff that a colleague may have contracted COVID-19. This is in line with their health and safety obligations. However, employers should avoid naming individuals or providing more information than is necessary to keep your colleagues informed.
- It is reasonable to ask employees and visitors whether they have any symptoms or have visited a particular country.
- Data protection law does not prohibit organisations from sharing employees’ health information with authorities for public health purposes.
Points for healthcare organisations
Data protection law does not prohibit the Government and healthcare organisations, such as public authorities and GP clinics, from sending public health messages.