The Covid-19 pandemic brings a sharp focus to the difficult balance that GDPR strikes between the rights of individuals and society as a whole.
In these unprecedented times, how will EU and UK data protection authorities deal with data protection and privacy, in the light of serious concerns around both health and the economy?
Fortunately, we have the benefit of a set of guidance notes from the UK Information Commissioner’s Office (“ICO”), while the European Data Protection Board has issued detailed guidelines for test and tracing apps.
We summarized five ICO guidance notes in Part 1 of this article, in our July newsletter. In this Part 2 we summarize the remaining guidance, some updates to the previous guidance and the EDPB guidelines. References to GDPR are to both the EU and the UK GDPR.
Further ICO Guidance
1. Updated Regulatory Approach during Coronavirus1
The ICO has updated its regulatory approach guidance since the summer. The broad thrust remains that the ICO claims to understand that organizations are operating in challenging times and will adjust its regulatory approach accordingly, while acknowledging the important role of people’s information rights.
Against this background it commits to:
Notably, the ICO no longer acknowledges the pandemic’s impact on the 72-hour deadline for data breach reporting. However, it will consider generally whether non-compliance results from the pandemic and may give organizations longer than usual to rectify breaches, where the pandemic has impacted the ability to put things right. The ICO also maintains its previous stance on reducing the level of fines.
2. Contact Tracing
As part of the UK’s anti-Coronavirus regime, organizations offering hospitality, tourism, leisure and close contact services have to collect personal data on customers, visitors and staff for contact tracing purposes.
The ICO gives those organizations the following guidance:
Full details can be found here. More detailed advice is also available for organizations unaccustomed to handling personal data here.
3. Coronavirus Recovery
The ICO provided guidance in the form of six key steps for organizations collecting additional personal data to provide a safe environment for staff, namely:
Full details are available here.
There is additional guidance for organizations carrying out their own symptom checking or testing, see Part 1 of this article under Workplace Testing – guidance for employers and the ICO website.
This guidance covers the use of surveillance to monitor whether employees are observing coronavirus prevention measures or to monitor contract tracing.
Such surveillance is permitted, but only if needed and proportionate for health and safety, and if there is no less intrusive way to achieve the same result. The ICO has a template which can be used to help determine the answers to these questions.
Organizations practicing surveillance must post clear notices of what is being done and why. They must then regularly review their need for and methods of surveillance.
While monitoring whom individuals come into contact with is not prohibited, it appears to require more sensitive treatment, which may include speaking to affected individuals and advising them on self-isolation. The guidance is equivocal on this issue and not particularly helpful.
Further detail from ICO is available here.
5. Case Studies
This guidance consists of four case studies, covering subject-matter such as employers who wish to ask employees to complete coronavirus symptom questionnaires and cafés who manually collect track and test data.
It sets out the issues to consider and approach to take in each scenario.
6. Covid Tracing Apps – ICO and EDPB Guidelines
On 13th October, the ICO’s blog reported on the advice and guidance it had given all four UK administrations to ensure that the NHS and other official Covid apps were designed to take account of data protection rights.
No doubt this advice was consistent with the Guidelines issued in April by the European Data Protection Board (EDPB) on contact tracing apps.
These Guidelines are fairly lengthy, at 19 pages including a useful analysis guide. In brief, they recommend:
The EDPB concludes:
“one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights: we can achieve both, and moreover data protection principles can play a very important role in the fight against the virus. European data protection law allows for the responsible use of personal data for health management purposes, while also ensuring that individual rights and freedoms are not eroded in the process.”
The official guidance is wide-ranging and useful. Organizations which intelligently follow its approach should find themselves in a strong position with regard to compliance with these complex laws.