On March 12, 2020, the Information Commissioner’s Office (ICO), the U.K.’s data protection authority (DPA), published Guidance for data controllers on their data protection compliance obligations during the COVID-19 pandemic. The take-away point is that the ICO will take into account “the compelling public interest in the current health emergency” and will take a “reasonable and pragmatic” approach to enforcing data protection obligations. In light of this Guidance, the question of what particular steps are proportionate, in terms of General Data Protection Regulation (GDPR) compliance, will be of increasing importance while organizations and individuals navigate the pandemic.
The ICO states that it does not operate in isolation from matters of serious public concern. It recognizes the unprecedented challenges faced by data controllers as well as by society at large during the pandemic, and acknowledges the potential needs of organizations to share information quickly or adapt the way in which they work at short notice. The Guidance provides answers to six frequently asked questions about compliance with the GDPR during the COVID-19 pandemic, as summarized below.
1. Responding to data subject access requests (SARs)
The Guidance states that although the ICO cannot modify statutory timescales, it will not penalize organizations that it knows need to prioritize other areas or adapt their usual approach. Additionally, the ICO states that it has made provisions to inform the public through its own communication channels that they may experience delays when making SARs during the pandemic.
2. Health care organizations contacting individuals about COVID-19 without prior consent
The Guidance clarifies that the GDPR and electronic communication laws do not stop the U.K. government, the U.K. National Health Service or any other health professionals from sending public health messages (including about COVID-19) to people, either by phone, text or email, because these messages are not direct marketing.
In a nod to making use of technological advances, the ICO further states that data protection laws do not stop health professionals from using the latest technology to facilitate safe and speedy consultations and diagnoses. Further, the Guidance recognizes that public bodies may require additional collection and sharing of personal data to protect against serious threats to public health, as in the current pandemic.
3. Security measures and homeworking arrangements
During the pandemic, employees may work from home more frequently than usual. The ICO’s view is that data protection is not a barrier to increased and different types of homeworking. However, the ICO advises that organizations should consider adopting the same kind of security measures for homeworking that would be used under normal circumstances (see further details below).
4. Informing employees that a colleague may have contracted COVID-19
The GDPR does not prevent organisations from keeping staff informed about cases of COVID-19 among their workforce. However, data controllers must be prudent not to name individuals or to provide more information to colleagues than strictly necessary.
5. Collecting health data relating to COVID-19 from employees
Organizations must ensure that they do not collect more data than they need and that any data collected in connection with the pandemic must be treated with the appropriate safeguards. Examples of reasonable data collection may include asking employees (and/or visitors to an organization) whether they visited a particular country or whether they are experiencing COVID-19 symptoms.
6. Sharing employees’ health information with authorities
The GDPR will not stop organisations from sharing information with authorities about specific individuals, although it is unlikely that organisations will be required to do so in the first place.
Guidance from the EDPB and other DPAs
All (apart from three, at the time of writing) other European DPAs have now issued guidance on the impact of COVID-19 on GDPR compliance obligations. It is possible that as the global spread of COVID-19 continues to develop, European DPAs may revisit their guidance.
On March 19, 2020, the European Data Protection Board (EDPB) also adopted a formal statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB states that data protection rules, such as the GDPR and the e-Privacy Directive, do not hinder measures taken in the fight against the coronavirus pandemic. The EDPB underlines, however, that even in these exceptional times the data controller and processor must ensure the protection of the personal data of the data subjects. A number of considerations should therefore be taken into account to guarantee the lawful processing of personal data. The EDPB states that in all cases any measure taken in this context must respect the general principles of law and must not be irreversible. Certain issues, such as the use of mobile location data and matters concerning data protection in the employment sector, are specifically addressed in the EDPB’s statement.
Further, guidance about the impact of COVID-19 on data protection laws has been published by a few regulators outside the European Union, including Switzerland, Norway, Russia, Hong Kong, Singapore, Australia and Canada.
Please consider Akin Gump’s online COVID-19 Resource Center in relation to issues relevant to data protection, such as remote working, business/personal travel quarantine and sick leave obligations. Please get in touch with a member of the Akin Gump team if you would like more information on how your organization can ensure that it meets its data compliance obligations during the pandemic.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.