There’s no doubt that this year has been extremely challenging for businesses, whatever size and industry. Between economic downturn and protecting health and wellbeing of staff, data protection and privacy compliance probably hasn’t been on the forefront of the agenda. But as we start to see the lockdown rules ease and businesses re-open, consumer-facing organisations may need to review their data protection processes in order to be compliant with the Government’s guidance for reopening.
Collection of additional Personal Data
Following the Government’s announcement on 23 June, many businesses are preparing to re-open their doors this weekend. As part of the Government’s guidance, businesses are being encouraged to use the NHS Test and Trace system, which requires them to keep a temporary record of customer and visitor data for 21 days to assist tracking request if needed. Other industries, such as lettings agents and hotels, are being advised to confirm with their customers whether they have had or develop symptoms before or after visits to protect others and help limit the spread of the virus.
Why is this a concern?
Whilst collecting contact details as part of the Track and Trace system is considered to be fairly low-risk information from a data privacy perspective (compared to health or financial information, for example), it still begs the question whether businesses like pubs and cafes, will be able to comply with their data protection obligations that attach to this.
Under data protection law, any organisation that collects personal data (which includes contact information) must inform the individual of their purposes for processing the personal data, how long they retain it and who it is shared with. This information is usually captured in a privacy notice, which is shared with the data subject on collection of the data.
To comply with this requirement, businesses should therefore be updating their privacy notice and presenting it to customers when they collect their contact details. They will also need to consider how they store such data, whether it’s necessary, limited to a particular purpose, and how long to retain it in order to demonstrate they’re complying with the GDPR’s accountability principle.
We await guidance and further details on how the Track and Trace system will work but presenting individuals with a privacy notice on entry into the pub doesn’t seem like a practicable step or one that will be willingly adopted. It will be interesting to see if the system itself caters for this or whether businesses will need to look to implement new processes and technologies to manage the collection and processing of such additional data.
Maybe more of a concern is those businesses gathering health data, which is deemed “special category data” for data protection purposes. This attaches a higher degree of care and additional requirements. Health data about an individual’s past, current or future health, including COVID related health data, falls into this category.
The GDPR includes a general restriction on processing special category data unless one of the 10 exceptions apply; these are referred to as “conditions for processing”. This means that organisations processing special category data must have a lawful basis to process such data under Article 6 of the GDPR, as well as satisfying one of the conditions for processing under Article 9. The Data Protection Act 2018 (“DPA 2018”), which supplements the GDPR and implements it into UK law, adds an additional hurdle. If organisations are relying on one of the conditions under Article 9 which requires a “basis in law” for the processing of special category data, it must also meet one of the conditions set out in Schedule 1 of the DPA 2018.
The ICO guidance suggests that organisations should only seek to rely on the Article 9 and Schedule 1 conditions if it is not reasonable or possible to obtain consent from the individual. Is it appropriate to seek consent from the individual in the context of the pandemic? At present, it’s unclear whether these conditions would apply in the context of COVID related health data or whether businesses should be obtaining consent from the data subject and, if it’s the latter, this adds further complications about ensuring such consent is freely given and properly documented.
If it can be determined that the Schedule 1 conditions do apply, and organisations do not need to rely on consent, many of the Schedule 1 conditions require organisations to implement an Appropriate Policy Document setting out their processing activities and the organisational safeguards used to protect the special category data.
The ICO guidance provides that organisations collecting health data related to the pandemic should conduct a Data Protection Impact Assessment (DPIA), focussing on the new areas of risk. There’s not a set way to carry out a DPIA but this should consider how the data is used, the proportionality and necessity of collecting it, management and organisational measures used to protect the data and what mitigating actions can be put in place to counter any data protection risks.
As set out above, it currently isn’t clear what is expected in terms of the collection and processing of both contact data and COVID related health data and we await further Government guidance on this.
The ICO’s “data protection and coronavirus information hub” suggest that the regulator is taking a flexible and pragmatic approach to the pandemic and there seems to be recognition that businesses may struggle to meet their data protection obligation during this time.
Whilst the ICO’s approach provides some comfort, this doesn’t give organisations a “get out of jail free card” and they are still required to take steps to demonstrate that they are trying to meet their regulatory obligations. In this interim period (before the Government issues any formal guidance), businesses should consider:
- Data Protection Impact Assessment – try to identify any new risks that your business is facing when collecting and processing additional personal data and/or special category data and the ways in which you can mitigate such risks.
- Privacy Notices – it’s a good time to give your privacy notice a health check and think about how you’re managing personal data generally, updating it to capture any new data or processing activities.
- Engagement with Third Parties – using new technologies to help manage these new processes may be beneficial from an operational perspective but ensure you have GDPR compliant terms included in your contracts. Undertake due diligence on the supplier, including understanding where they store and process personal data.
- Limitation – just because you’re collecting additional or new data sets doesn’t give you an unfettered right to use it at will. Ensure that you’re only using this data for the purpose for which you’re collecting it and, if you intend to use it for other purposes, ensure you have a lawful basis for doing so.
- Consent – remember when relying on consent, this must be given freely by the data subject and clearly documented.
- Stay up to date – the landscape of the pandemic is constantly changing. Keep up to date with the guidance and if you’re unsure of what you’re supposed to be doing, seek specialist advice or call the ICO for assistance.