Covid-19: Ico &Data Protection Implications | CFR

Given the unprecedented nature of COVID 19, many would argue that the GDPR and Data Protection Act 2018 should not stand in the way of businesses as steps are taken to safeguard health and safety. However, sensitive health and travel information is being requested and homeworking is being rolled out which will inevitably present challenges from a data protection perspective.

Thankfully, the Information Commissioners Office in the UK (ICO) has issued a helpful Guidance note which should help to allay any fears that organisations will be penalised severely. The key takeaways are as follows:

• Data protection will not stand in the way of you sharing information or adapting the way you work provided it is done in a proportionate way
• The ICO understands that resources might be diverted away from usual compliance or information governance work where necessary and organisations won’t be penalised for that
• The statutory timescales can’t be extended (eg 72 hour notification window in the event of a breach or one month window to respond to a SAR unless complex) but the ICO will inform people through their own channels that delays are to be expected during the pandemic
• Data protection is not a barrier to homeworking provided that you consider the same type of security measures as you would normally
• You can tell other employees if a colleague is diagnosed with COVID 19 but don’t name the individual
• You can ask employees if they have visited a particular country or are experiencing COVID 19 symptoms, just don’t request any more information than you actually need and treat it with care
• You can share employees’ health information with authorities for public health purposes but only if necessary.

In summary, a sensible and pragmatic approach will be adopted by the ICO which is a welcome relief.

Should you have any queries in relation to the above, please contact Aisling Byrne, Director