ICO and EU data protection authorities issue guidance on COVID-19

In recognition of the challenges which organisations are now facing as part of the ongoing Coronavirus pandemic, the UK’s Information Commissioner’s Office (the “ICO”) issued some guidance – “Data protection and coronavirus: what you need to know” – on Thursday 12 March for data controllers in the UK.

The ICO acknowledges that, in light of Coronavirus, organisations “might need to share information quickly or adapt the way [they] work”, but the ICO is clear that an organisation’s approach should be proportionate. The ICO comments, “if something feels excessive from the public’s point of view, then it probably is”.

The ICO also seeks to address some key questions:

1. Continuing to comply with data protection requirements and data subject request over this period: The ICO acknowledges that resources will be diverted from usual compliance or information governance during this period and says that it will not penalise organisations where they know that they have needed to prioritise other areas or adapt their usual approach during this period. The ICO also says that the prescribed timescales for responding to data subject requests under the GDPR cannot be extended but that they do intend to communicate that individuals may experience understandable delays when making requests during the pandemic.

2. Working from home: The ICO is clear that data protection is not a barrier to working from home, but the ICO does state that security measures which should be considered in normal circumstances should also be applied to home working.

3. Informing staff of colleagues who have / may have contracted COVID-19: The ICO says that you can and should keep staff informed about cases within the organisation but that organisations should ensure that they do not provide more information than necessary – for example, the ICO says that it is unlikely that the name of the infected individual would need to be shared. The ICO expressly states that organisations have an obligation to ensure the health and safety of their employees, as well as a duty of care.

4. Collecting health data in relation to COVID-19 from employees and visitors to the organisation: The ICO explains that, whilst organisations have a duty to protect the health of their employees, this does not necessarily mean that they should be collecting limitless information in relation to them. The ICO suggests the following examples may be sensible measures:

   • asking individuals to confirm whether they have visited a particular country;
   • asking individuals to confirm whether they have experienced particular symptoms;
   • asking visitors to consider government advice before entering the building; or
   • advising staff to call 111 if they are experiencing symptoms or have visited particular countries.

5. Sharing employees’ health information with authorities for public health purposes: In the unlikely event that organisations need to share information with authorities about specific individuals, then the ICO says that it will not prevent organisations from doing so.

   The UK’s ICO is certainly not alone – other EU data protection authorities have also issued their own guidance on data protection issues relating to Coronavirus, as set out in the below table.

   Additionally, on Monday 16 March, the Chair of the European Data Protection Board (EDPB), Andrea Jelinek, issued a statement on the processing of personal data in the context of the COVID-19 outbreak. The statement makes clear that EU data protection rules do not stand in the way of the adoption of measures to combat the effects of the Coronavirus pandemic. However, the EDPB stresses that data controllers should keep in mind a number of considerations when adopting measures that involve the processing of personal data. These considerations include ensuring that organisations are able to rely upon appropriate legal grounds provided by the GDPR which enable organisations to process personal data in the context of the pandemic without the consent of data subjects, such as processing that is “necessary for reasons of public interest in the area of public health” (article 9(2)(i) GDPR).

Data protection guidance on Coronavirus issued by European data protection authorities

Belgium

“COVID-19 et traitement de données à caractère personnel sur le lieu de travail” (in French, translated to “COVID-19 and processing personal data at work”)

Denmark

“Hvordan er det med GDPR og coronavirus?” (in Danish, translated to “How about GDPR and coronavirus”)

France

“Coronavirus (Covid-19) : les rappels de la CNIL sur la collecte de données personnelles” (in French, translated to “Coronavirus (COvid-19): reminders from the CNIL on the collection of personal data”)

Germany

Conference of German DPAs – “Datenschutzrechtliche Informationen zur Verarbeitung von personenbezogenen Daten durch Arbeitgeber und Dienstherren im Zusammenhang mit der Corona-Pandemie” (in German, translated to “Data protection law information on the processing of personal data by employers and employers in connection with the corona pandemic”)

DPA of Baden-Wuerttemberg – “FAQ Corona” (in German)

Ireland

“Data Protection and COVID-19” (in English)

Italy

“Coronavirus: Privacy Guarantor, no "do it yourself" initiatives in the collection of data” (in Italian and English). Superseded by the Joint protocol for regulating the measures in order to contrast and to reduce the spread of COVID-19 at the workplaces (executed by Government and main trade unions associations on 14 March 2020)

Luxembourg

“Coronavirus (Covid-19): Recommandations De La Cnpd Relatives À La Collecte De Données Personnelles Dans Un Contexte De Crise Sanitaire” (in French, translated to “Coronavirus (COVID -19): CNPD recommendations relating to the collection of personal data in the context of a health crisis”)

Netherlands

“Mijn zieke werknemer” (in Dutch, translated to “My Sick Employee”)

Norway

“Korona og personvern” (in Norwegian, translated to “Coronavirus and privacy”)

Poland

“Oświadczenie Prezesa UODO w sprawie koronawirusa” (in Polish, translated to “Statement by the President of UODO on the coronavirus”)

Slovakia

“Koronavírus a spracúvanie osobných údajov (aktualizované 13.3.2020)” (in Slovak, translated to “Coronavirus and processing of personal data”)

Slovenia

“Odgovorno ravnanje vseh je ključno v času virusne krize” (in Slovenian, translated to “Responsible behaviour is crucial during a crisis”)

Russia

"Роскомнадзор разъясняет особенности использования тепловизоров работодателями - операторами персональных данных – с целью предотвращения распространения коронавируса” (in Russian, translated to “Guidance regarding use of thermal imagers and related processing of data on body temperature of employees and visitors”)

Spain

“Informe Covid” (in Spanish, translated to “Report on Covid”) and FAQs

Sweden

“Coronavirus och personuppgifter” (in Swedish, translated to “Coronavirus and personal data”)