Personal data and pandemics: What you need to know
As COVID-19 sweeps across the country, organisations and businesses may be tempted to put data protection on the backburner in the interests of adapting quickly to the unfolding pandemic. However, as data protection laws still apply, we have prepared this note to guide you through data protection legislation during these unprecedented times.
Has the law changed?
The first thing to be aware of is that data protection law has not fundamentally changed as a result of COVID-19. The European Data Protection Board has confirmed that even in these exceptional circumstances, you must ensure that personal data is protected. The Information Commissioner’s Office (ICO) clarified that statutory timescales remain the same, regardless of the pandemic. So, for example, you would still be in breach of the GDPR if you do not respond to a request by an individual for information that you hold (known as a ‘subject access request’ or SAR) within 30 days.
However, the ICO has shown understanding to those organisations who need to prioritise resources away from compliance and information governance. It is unlikely that such organisations will be pursued with regulatory action if they do not conform to their usual high standard of data protection. Taking the example of the SAR, the ICO has shown itself to be sympathetic to the fact that delays may be likely at this time.
While this understanding approach is the stated rule of thumb, organisations would be wise not to take their eye off the ball. If you are struggling with a data protection issue, we advise you seek legal advice immediately to clarify your position, as time is often of the essence.
With many employees working from home, how do we protect personal data?
Data protection laws should not be a barrier to home working. However, you will need to consider the same security measures for home working as you would do for your normal business practice.
You should take steps to ensure that your employees are fully aware of how they should be managing data securely from home by providing clear guidance on how your compliance procedures are to be followed remotely. For example, there will likely be a temptation for employees to email documents to their (unsecure) personal account. We suggest that you make it clear to staff that such practices are in breach of data protection laws.
What information can I gather from my staff to manage the pandemic?
Health data is a category of personal data that is afforded a high degree of protection under data protection laws. COVID-19 does not give you free reign to gather any health data. You can gather information necessary to protect your staff’s health, but you must still ensure that you have a lawful basis to do so and that you gather the minimum amount of information possible to achieve that aim. For example, it is reasonable for you to ask staff whether they have any COVID-19 symptoms or have recently returned from an at-risk location.
As with all personal data, you should be clear about why you are collecting the data, how it is being used, and how long the data will be held for. One way to do this is to prepare a specific policy and circulate it to your staff. The information should be provided in language that is clear and easy to understand. The decision making process behind gathering this data should be documented.
We would also advise taking measures to reduce the amount of personal data you need to collect. The least intrusive measures of achieving your purposes should be used. For example, where possible, you can direct visitors and staff to government advice rather than give information directly. Any personal data you do collect should be subject to the appropriate safeguards.
What do I tell my staff if someone contracts COVID-19?
You may tell employees that a colleague has contracted COVID-19, that they are under quarantine, or have been exposed to the virus. This is in line with a more general duty on employers to ensure the health and safety of their staff. However, you should be careful about what information you give. For example, you should not reveal the identity of the individual employee affected unless necessary to protect the health of other employees. In most cases it should be possible to protect your employees without identifying those affected by the virus.
What happens after the COVID-19 pandemic is over?
Although it is currently unclear when the pandemic will draw to an end, once it does organisations will need to work out what to do with the data collected during this time.
The GDPR requires that personal data is deleted after it is no longer necessary for the original purpose it was collected for. So, once the crisis is over, you should delete the data. A practical tip is to keep the data gathered for the purposes of the pandemic in one place, so it can be easily reviewed and deleted when the time comes.
It may be possible for organisations to argue that they still have a lawful basis for processing the data even once the pandemic is under control, for example if you can legitimately say that keeping the data is in the public interest. However, if you would like to keep the data, we advise you seek legal advice on that point.
As the COVID-19 situation is changing frequently, we advise that you stay alert to new guidance or laws which may change how data protection operates.