The coronavirus is affecting all aspects of legal life; the area of information law is not out of its reach. Data security concerns arise from the rapid introduction of wide scale working from home. The need to collect sensitive personal health data for public health purposes is clear, but the necessary protections on the processing of this data, particularly when coupled with new technology, are not as clear. Communications from Government and the NHS about our own heath are now widespread.
The ICO has issued guidance on data protection in the midst of this pandemic. The ICO guidance on data protection [insert link: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/covid-19-general-data-protection-advice-for-data-controllers/] That guidance provides:
- The Government, the NHS, and health professionals, can send public health messages using all forms of technology (including phone, text, or email). These are not marketing messages. They can also use technology to facilitate safe and speedy consultations and diagnosis
- Additional collection and sharing of personal data by public bodies may be required to protect against serious threats to public health.
- The statutory timescales for data protection compliance can not be extended. However, the ICO understands that staff, and expenditure, may currently be diverted from usual compliance work, and it won’t penalise organisations that need to adapt their approach during this extraordinary period.
- Data protection law is not a barrier to home-working, but the same types of security measures for homeworking that are used in the workplace environment need to be considered.
- Employees should be kept informed about COVID-19 cases in their organisation, though employers shouldn’t provide more information about individuals than is necessary. Similarly, where employers collect health data, they shouldn’t collect more data than they need, and they should that they implement appropriate safeguards.
- Where it is necessary for employers to share information with public authorities about specific employees, for public health purposes, then data protection law will not prevent this.
The ICO has also issued guidance on Freedom of Information available here [https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/covid-19-general-data-protection-advice-for-data-controllers/] That guidance provides:
- The ICO recognises the unprecedented challenges public bodies currently face, and that resources may need to be diverted away from the usual compliance or information rights work.
- As with data protection, the ICO can not extend statutory timetables but will not be penalising public authorities for prioritising other areas or adapting their usual approach during this extra-ordinary period.
- To support public authorities, the ICO will be using its own communication channels to explain they may experience delays when making information rights requests during the pandemic.
The ICO guidance highlights that “it is a reasonable and pragmatic regulator, one that does not operation in isolation from matters of serious public concern.” That should provide some comfort to public officials working to steer a course in the current, fluid situation.
On 19th March 2020 the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the era of the coronavirus. The key points of interest to local authorities are:
- There is a wide range of potential basis for processing personal data in the context of an epidemic without relying on consent, including articles 6 and 9 GDPR.
- In the employment context, the processing of personal data may be necessary for compliance with a legal obligation (e.g. heath and safety at work) or the public interest.
- There are derogations to the processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the public health on the basis of Union or national law (Art.9.2.i) or where there is a need to protect the vital interests of the data subject (Art.9.2.c), as recital 46 explicitly refers to the control of an epidemic.
While the regulators have placed an emphasis on pragmatism, that assurance cannot be transported wholesale to the field of litigation. To the extent possible, local authorities should keep information rights well within their sites as they navigate their way through covid-19. For litigation and regulatory purposes, it will be important to keep a careful record of the basis for key decisions taken around data protection.