“Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health”
The UK’s data watchdog has acknowledged that COVID-19 is causing massive disruption to the way organisations are operating, and suggested that it will take a soft-touch approach towards organisations unable to meet statutory data protection requirements during the outbreak.
The ICO also said that it will not “penalise” organisations that are unable to handle information or data requests in a timely manner — welcome news as many firms’ ability to process and action GDPR requests will be severely limited as resources are diverted to ensuring newly remote workforces are bedding in to working from home.
Under GDPR organisations have one month from receiving a data request to respond. In special circumstance a two-month extension can be granted. If data compliance officers are working from home they may be unable to access any records that are not stored digitally in accessible systems, thus hampering their ability to respond.
The ICO stated: “We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
In comments directed at those querying the actions of public health organisations, it added: “Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health… Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing.”
Looking after the Workforce
The ICO is also informing organisations that if a member of their staff is suspected of contracting COVID-19 then they are fully able to pass this information onto that person’s colleagues. Employers have an obligation and a duty of care to the greater workforce in situations like this. However, disclosing the person’s identity should be avoided if possible to help protect that persons personal data.
The Irish data authority, meanwhile, is advising that “disclosure of this information may be required by the public health authorities in order to carry out their functions.”
When it comes to a company’s employees and their health the data authorities stress that just because you are concerned about workers health doesn’t mean you should start collecting unnecessarily amounts of health data from them.
Yet, it is “reasonable” to ask employees and visitors if they have visited a country that is experiencing the worst of the COVID-19 pandemic.
ICO stated on the pandemic that it is a “reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.”