All organisations across the world are facing numerous challenges as a result of the coronavirus pandemic and many organisations will be concerned about what this means for their day-to-day operations.
While data protection is often a term that we want to avoid thinking about, the current situation will have implications on how organisations use personal data and comply with their obligations under the General Data Protection Regulation (GDPR).
The Information Commissioner's Office (the ICO) recently issued guidance for organisations on the challenges faced during this time.
The guidance sets out the ICO's position regarding enforcement of data protection compliance during this time and so while there will be no extension of applicable statutory deadlines (for example, the deadline for responding the data subject requests), the ICO has confirmed its intention not to penalise organisations for failing to meet such deadlines as a result of Covid-19 measures.
Implications for your organisation's data protection operations
Organisations which receive data subject requests only have one month to comply with such requests under the GDPR, although there is an option to extend this deadline by a further two months in certain circumstances. The current situation surrounding Covid-19 may mean that staff who normally deal with such requests are working from home and may be unable to access all records remotely.
Organisations will need to think about how Covid-19 will affect your operations, particularly in relation to staff and customers. As we see it, Covid-19 may have the following implications for data protection compliance:
- Increased homeworking: organisations should consider what security measures are appropriate to allow staff to work from home where required to do so, either as a result of self-isolation or Government guidance; and
- Collecting health data: while organisations will have obligations to protect employees' health, this does not mean that large amounts of health data should be collected where this is unnecessary. It is still important to ensure that you only collect the personal data that you need for specified purposes. This will also apply to volunteers, tenants and other service users; and
- Communication of cases: if your organisation does have cases of Covid-19, you may need to share this information with anyone who interacts with your organisation. Identifying individuals should be avoided, where necessary, but you should consider if identification is necessary to protect others. There are potentially risks from a data protection perspective here where you are not operating under a duty of confidentiality but we would hope that wider public health concerns are taken into account in order to mitigate these risks.
It is still important to consider transparency regarding how organisations use personal data during this challenging time in order to ensure that individuals understand how organisations may need to use additional personal data, particularly relating to health which is a special category of personal data.
If an organisation is putting in place additional measures to protect its employees or those that it regularly engages with, we would recommend that a short notification is issued in order to confirm how this may change the way in which the organisation uses personal data as this will likely go beyond what is currently covered by your privacy notices.
Get in touch
If you have any particular concerns regarding data protection compliance during this time, please contact a member of our team.