The COVID-19 pandemic brings a sharp focus to the difficult balance that the GDPR seeks to strike between the rights of individuals and society as a whole.
In these unprecedented times, how will the data protection authorities deal with the issue of data protection and privacy, in the light of grave concerns around both health and the economy?
Fortunately, we have the benefit of a series of guidance notes from the UK Information Commissioner’s Office (ICO), while the European Data Protection Board has issued detailed guidance for test and tracing apps.
In this article, which is in two parts, we summarize that guidance. References to GDPR are to both the EU Regulation and the UK’s Data Protection Act 2018. Part 2 of this article will be published later.
The ICO has published around 10 guidance notes and blogs, both broad and specific, covering a wide range of topics. You can access the ICO guidance here. Part 1 of this article covers the first five of these.
The note goes on to recognize that organisations might need to divert resources from their usual data protection work and states that the ICO will not penalize them where they need to prioritize other areas during this period.
The guidance concludes with a promise to inform people that they may experience understandable delays when making information rights requests during the pandemic, although it cannot formally extend statutory timescales. It then directs readers to guidance on its regulatory approach, described next.
Equally, it points out that information rights continue to have an important role, while acknowledging that the nature of data protection law confers flexibility, containing checks and balances to ensure personal information can flow and be effectively utilized for healthcare, apps and research projects.
The ICO commits to an “empathetic, pragmatic, proportionate” approach, including:
The ICO then pats itself on the back, declaring itself "a reasonable and pragmatic regulator," which will place the safety and security of the public first with regard to data protection compliance.
The guidance contains a useful security checklist, including features on BYOD and video conferencing.
Organisations would be well advised to read this, since data security is one of the key principles of GDPR and poor security is the most common reason for fines.
The ICO advises that data protection law does not prevent employers taking the necessary steps to keep staff and the public safe and supported during the pandemic. Nevertheless, it does require them to be responsible with people’s personal data and ensure they handle it with care.
The guidance focuses on "return to work" tests to check whether staff have COVID-19 symptoms. Such tests involve pro-cessing health data, classed as "special category data" under GDPR due to its sensitivity, and requiring even more careful protection.
Private organisations have first to be satisfied they need to carry out such tests to satisfy employment law, i.e. their health and safety at work obligations as employers.
Employers must then demonstrate compliance throughout the process, ranging from additional record keeping to collecting only the minimum amount of information needed. For example, requiring information about the result of a test only, rather than additional details about underlying conditions. Employers must also record the date of test results to avoid holding out-dated and therefore inaccurate personal data.
Where employees test positive, this information can be retained, securely and subject to a duty of confidentiality. However, this must not result in any unfair or harmful treatment.
Transparency is equally important. Employers must be clear and honest with employees, explaining what they intend to do with the results before testing.
Other staff should be informed about potential or confirmed COVID-19 cases among their colleagues, but without naming individuals if possible. The information can also be shared with authorities for public health purposes, or the police where necessary and proportionate.
Part 2 of this article, covering some more guidance from the ICO and the EDPB Guidelines on track and tracing apps, will be published later.