
Mona Patel Partner
COVID-19: What are the implications for data protection?
As governments work to contain the COVID-19 pandemic and companies implement emergency measures to comply with public health initiatives, it is important that any steps taken are consistent with the EU General Data Protection Regulation (“GDPR”). We set out below the basic data protection questions you may have from a UK perspective.
No. Whilst it is clear that there is no general waiver for compliance in a public health emergency, the Information Commissioner’s Office (“ICO”) has said that it understands companies may have to divert resources from usual compliance and governance work to deal with other matters and it will not seek to penalise such behaviour during these crisis.
No. You will need to put in place the same types of measures that would apply in the workplace, particularly as staff may be using their own device or communications equipment. For example companies should be:
Yes. You have a duty of care to your staff, which means should keep them informed about cases in your company. That said, you should be careful not to disclose more information than is strictly necessary to protect their health and safety (e.g. you may not need to name specific individuals). If you do decide to name individuals, the specific member of staff should be informed of the communication in advance and their dignity and integrity should be protected.
Yes you can. Though you should obtain the specific and informed consent of your staff to process their private contact details in order to make contact with them at short notice in relation to COVID-19 (you should not for example then use these details to contact them outside working hours once things have returned to normal).
You can ask staff reasonable questions for the purpose of protecting your workforce’s health. These might include asking whether they have visited a particular country or are experiencing COVID-19 symptoms, etc. Ideally all such measures would be supervised and signed off by a health care professional / occupational health professional, in particular if health data are being processed. It is important you ask only reasonable questions. E.g. the nationality of the individual or the identity of those friends or family with whom they have had contact is not data you need to obtain.
Yes. Although it is unlikely that your organisation will need to share information with authorities pertaining to specific individuals. Wherever possible avoid processing specific health related information which can be linked back to an individual.
Remember to:
The ICO has recently published helpful guidance on these issues. For further information see the following articles on the ICO website: Data protection and coronavirus: what you need to know, Data protection and coronavirus and ICO's blog on its information rights work.
The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of COVID-19. Should you have any queries, please do not hesitate to contact the authors of this article or your usual contact at Ince.