Explaining the ICO’s rules

As an organisation, you may find that you need to share information quickly, but how does this work in these uncertain times? Is there any flexibility with the rules?

The Information Commissioner’s Office (ICO) has issued guidance on its expectations on compliance with data protection laws during the current coronavirus pandemic.

Data protection laws still apply as usual, albeit, the ICO will take into account the compelling public interest in the current circumstances.

Points to note from the ICO guidance include:

Collection of specific health data

The ICO accepts that whilst your organisation has an obligation to protect its employees’ health, this does not mean that you can gather an excessive amount of information about your employees. The ICO have advised that:

• It is reasonable for an organisation to ask its employees whether they are experiencing coronavirus symptoms;
• It is likely to be best practice for organisations to take approaches which minimise the amount of information it needs to collect (e.g. advising staff to call 111 if they experience coronavirus symptoms);
• If, after taking the above measures, an organisation still needs to collect specific health data, the ICO has confirmed that such any information collected must be treated with appropriate safeguards.

Under data protection laws, information relating to health is “special category data” and is subject to a higher degree of protection than other types of personal data. As such, if processing health data, an organisation must ensure that it continues to adhere to the additional legal requirements for processing the same.

Notification to Employees

Organisations should keep employees informed of potential coronavirus cases within the organisation; however, specific individuals should not be named, nor should more information be provided than is necessary.

Meeting statutory deadlines

The ICO has confirmed that although it is unable to extend statutory timescales, it will not penalise organisations that need to prioritise other areas or adapt its usual approach to data handling, as a result of coronavirus. This is important in the context of responding to subject access requests and other requests from individuals to exercise their rights under data protection law. Given that the statutory deadlines still apply as usual however, we advise exercising a cautious approach and adhering to usual strategies for meeting those deadlines.

Working from home

The ICO acknowledges that data protection is not a barrier to homeworking. Despite the increase of homeworking and use of personal devices for work, your organisation must still ensure adequate security measures are in place and that policies are followed. Network security and the safeguarding of personal data should not be overlooked.

Advice to organisations

• Although the ICO acknowledges that compliance issues may arise during these unprecedented circumstances, the usual data protection laws and deadlines still apply and you must meet them.
• Ensure that any processing of personal data is proportionate and necessary.
• Do not collect more personal data than is required for the stated purpose.
• Be transparent about the personal data you hold, how the personal data is being used and for what purposes. This information should be given to staff at the point of collection of their data.
• You may need to implement an additional or updated Privacy Notice which deals with the collection of personal data/special category data during the coronavirus pandemic.
• Remind staff about the security policies/procedures in place, in order to ensure compliance when home working.
• Keep staff informed about potential coronavirus cases within the organisation, but do not name specific individuals and do not provide more information than is necessary.
• Consider whether your current personal data retention policies adequately deal with the deletion or retention of any personal data you have collected, or may collect, in relation to coronavirus, once the threat has passed, so that you can deal with that data appropriately and document your rationale for the same.
• Keep informed of legislative and policy developments relating to data protection during the coronavirus pandemic, and any of the ICO’s information and guidance in response.

In current circumstances, we understand that you may have questions and concerns around the use and disclosure of personal data, and meeting statutory deadlines.

Need some guidance on data protection,  we’re here for you – just get in touch.