Each part of our society has been impacted by the recent pandemic. School are now closed. The English Court system is introducing new procedural rules to ensure that court hearing can continue, largely by telephone. On 24 March 2020, Health Secretary Matt Hancock conducted Downing Street’s first remote press conference. And countless workers are adapting to their ‘new normal’ working from home.
The world of Data Regulation is likewise adapting to the rapidly changing landscape. The European Data Protection Board (EDPB) has cancelled its monthly plenary session, but has issued a formal statement. The statement emphasises that data protection laws do not hinder measures taken in the fight against the coronavirus (COVID-19) pandemic.
The UK Response
On 12 March 2020, the Information Commissioner’s Office (ICO) issued a statement addressing concerns that data protection laws may impact on attempts to deal with the coronavirus.
The UK regulator confirmed ‘Data protection and electronic communication laws do not stop government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health’.
The ICO emphasised that it is ‘reasonable and pragmatic’ and will ‘take into account the compelling public interest in the current health emergency’ on matters of compliance.
In particular the ICO is unlikely to take action against organisations unable to respond to data subject access requests within the statutory deadline while resources are limited or diverted elsewhere.
It is reasonable to seek and hold health information relevant to the coronavirus, such as countries visited or symptoms experienced. Organisations should still only collect the data they need and appropriate safeguards should be put in place.
When working from home the usual kinds of security measures ought to be taken (for example, passwords for devices and the encryption of personal data).
The most frequently asked question is whether an employer can disclose that an employee is infected with COVID-19 to his colleagues or to externals?
Both ICO and EDPB guidance is that Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.
The statement from both organisations reflect the approach being taken by many sectors, and being adopted by regulators in other countries. Data Protection remains important, but a reasonable and pragmatic approach is to be adopted. This will reassure many data controllers and processors during this current health emergency.