We previously wrote about the implications of the Coronavirus (Covid-19) pandemic on organisations' compliance with their data protection responsibilities following the Information Commissioner's Office (the ICO) guidance for organisations on the challenges faced during this time.
The data protection considerations in relation to Covid-19 include ensuring compliance with data subject requests within the timescales prescribed by the General Data Protection Regulation (the GDPR), ensuring processing of personal data relating to Covid-19 is lawful and data security.
Data subject requests
As per our previous article, the ICO has confirmed that while it cannot extend the statutory deadlines for responding to requests (one month under the GDPR, which can be extended by two months in certain circumstances), it does not intend to penalise organisations for failing to meet such deadlines as a result of Covid-19 measures.
However, as well as managing resources in order to comply with the GDPR's timescales, organisations may face challenges in being able to collate and review all applicable personal data. The GDPR primarily relates to electronic personal data and so even with remote working it should be possible for organisations to access such personal data for the purposes of, for example, responding to a subject access request.
If there is any personal data that cannot be accessed as a result of Covid-19 measures in order for an organisation to fully respond to a data subject request under the GDPR, organisations may seek to respond to the request as much as it can and inform the data subject of any limitations in the current circumstances. Organisations must then ensure that the request is fully complied as soon as possible when any Covid-19 restrictions are lifted.
Lawful processing of personal data
The Covid-19 pandemic may result in organisations needing to process further information relating to individuals' health – for example, whether they are displaying symptoms of Covid-19 or are self-isolating – which falls within the definition of "special categories of personal data" under the GDPR. This may relate to employees or service users and organisations will need to consider how such information is processed lawfully under the GDPR.
As a reminder, in order to process personal data lawfully under the GDPR a controller of personal data must meet at least one lawful basis and where special categories of personal data are being processed, the controller must meet at least one special condition, as well as a lawful basis, to process such personal data.
The applicable lawful bases for processing personal data relating to Covid-19 will depend on the type of organisation and relationship with the individual. Competent public health authorities and employers will likely be able to rely on their legal obligations in order to process such personal data. For example, employers may need to process personal data, including health data, to ensure the health and safety of their workforce.
In relation to the applicable special conditions for public authorities and employers, the GDPR includes a specific 'public health' condition where processing is necessary to prevent serious cross-border threats to health – this would undoubtedly apply to the current Covid-19 pandemic. However, under the Data Protection Act 2018 (the DPA), such processing must be carried out by or under the responsibility of a health professional or another person who has a duty of confidentiality under law.
Accordingly, this special condition may not always be appropriate where an organisation is seeking to process health data relating to service users or visitors to whom they do not owe a legal duty of confidentiality. Alternative options may be to consider the vital interests special condition, which applies where processing of personal data is necessary in emergency life-or-death situations and the data subject cannot consent to such processing, or where processing of health data is required to safeguard individuals from risk.
Once an organisation is satisfied that they can lawfully process personal data under the GDPR, it is still important to consider transparency regarding how organisations use personal data during this challenging time.
This relates to the obligation to provide individuals with privacy notices and so organisations will need to check their privacy notices to ensure that any additional processing of personal data relating to Covid-19 is covered. If not, privacy notices will need to be updated or organisations can issue a short notification to relevant individuals.
Further, depending on which special condition is met to process additional health data as a result of Covid-19, organisations may need to implement an "appropriate policy document" under the DPA. Employers should already have this document in place and so it may just be a case of checking it to ensure that it is up-to-date. However, organisations that have started processing health data as a result of Covid-19 in order to safeguard individuals from risk may need to prepare this document in line with the requirements of the DPA. The ICO has a template available online.
With increased homeworking organisations should consider what security measures are appropriate to allow staff to work from home where required to do so, either as a result of self-isolation or Government guidance.
Additional security measures may be required in relation to devices used to process personal data, printing documentation and destroying personal data. Organisations may need to issue further guidance to remind staff that their data security obligations do not change and, for example, paper documentation should be securely destroyed. If this is not possible, staff should be advised to securely store such documentation at home until they can return to the office to securely destroy it.
We are also seeing a large increase in the use of remote video and telephone conference apps, such as Zoom. Where personal data and confidential matters are being discussed during virtual meetings, organisations should think about what apps meet minimum levels of security requirements.
There have been criticisms of the vulnerability of certain apps and so while it is important to ensure that organisations can still operate effectively during the current pandemic, this should not be at the expense of data security as there are providers on the market that have higher levels of security than others. Organisations should consider carrying out a data protection impact assessment to determine which provider is the best one to use for their purposes.
Get in touch
If you have any particular concerns regarding data protection compliance during this time, please contact a member of our team.