The ICO has issued brief guidance to data controllers in relation to the COVID-19 outbreak. The advice is concise and pragmatic, and full details of it can be found here: https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/
In particular, I draw your attention to a couple of short statements.
“The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.”
“We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.”
Which I think can be summarised as “use sensible judgment.” However, I would also advise data controllers to document their thinking and decisions as they go along, ideally following data protection impact assessment templates in order to ensure that due consideration of the issues is given and documented.
The ICO has also taken time to provide some guidance for individual data subjects to avoid fraudsters profiting from people’s understandable concerns and heightened anxiety at this present time. This guidance is a good reminder for your staff too! Attacks on people in their employment capacity, where it is the business’ data, the fraudsters are trying to access, will similarly increase when the criminals think people may act more rashly whilst in a state of stress. The ICO’s top tips are here and worth circulating: https://ico.org.uk/your-data-matters/your-data-matters-blog/
Some other points
1. The deadline for completing DSARs is likely to be tough to meet in circumstances when data controllers are short-staffed and technology resources are stretched by unexpected tasks such as supporting staff with home-working. The ICO has said it will understand if data controllers do not meet deadlines. It is advisable to communicate to the requester (even if it is obvious!) that there will be a delay.
2. Perhaps similarly, completing breach notifications may be tougher in the present circumstances. If a breach occurs, the normal steps apply. See our article on this here. All breaches should be documented in the data controller’s register. If there is a risk to the rights and freedoms of the data subjects, a notification to the ICO must be made. It is advisable to complete the breach notification with as much information as is available before the end of the 72 hour deadline, noting the difficulties in preparing a full report and then follow-up as and when further information becomes available.
3. Homeworkers are likely to be using their own devices to process personal data. This is acceptable, but care should be taken to keep personal data (as well as business confidential information) secure. Security measures should be proportionate in the circumstances. This means that commercial considerations can be taken into account, but should be balanced against the level of risk to the rights and freedoms of the individuals. Remind homeworkers to think carefully about what they are doing. In particular, avoid emailing personal data to personal email accounts.
4. Data controllers that need to understand the health status of say, employees need to remember that:
a. A legal basis for processing is required. This is likely to be legitimate interest. A legitimate interests assessment should be completed and a policy for processing the data documented. There should be consideration of how long the information is needed for and how it will be destroyed when the personal data no longer has a purpose. Avoid the pitfall of using the data for other purposes than for what it was collected.
b. Health data is special category data and a further legal basis for such data is needed. This is likely to be either 9.2(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law e.g. the processing is necessary to safeguard employees OR 9.2(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services OR 9.2(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. In relation to these two latter categories, medical professionals with professional confidentiality obligations need to collate the personal data.
5. Data controllers need to consider their duty of care to third parties as well as their data protection obligations. If it is necessary to share personal data, this should be done in a way that minimises the processing. Ideally data would be permanently anonymised. For example, it may be necessary to communicate to staff or visitors, if someone they have come into contact with is ill, but perhaps not necessary to say who they came in contact with.
6. Should it come to that; there is a specific legal basis that can be relied upon for sharing personal data for public health reasons. This is the basis that the processing of such data is necessary in order to protect the vital interests of the data subject or of another natural person and that processing is necessary for the performance of a task carried out in the public interest.