Over the past few days, commentators and, in some cases, government ministers have stated that the GDPR (and by association the Data Protection Act 2018) are preventing some organisations from providing a comprehensive response to the COVID-19 crisis.
The UK’s Information Commissioners Office (“ICO”) has made it clear that “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that“. This broad statement should provide organisations with a level of comfort that they are unlikely to face regulatory action for legitimate (if not strictly speaking lawful) uses of Personal Data (including Special Category Data) during this time.
The GDPR makes provision to process health data for reasons of substantial public interest (where authorised by law) or for the ‘vital interest’ of a data subject. These conditions are normally difficult for organisations to rely on, but during this crisis they may be appropriate.
However, we recognise during these times that due to staff illness or shortage and reduced timescales data protection compliance may be at risk.
The ICO is likely to provide organisations with significantly more leeway, including in situations where you are:
- Not complying with subject rights requests, within the one-month time frame, due to a lack of staff;
- Not completing DPIAs and LIAs for new processing activities (that are linked to Coronavirus);
- Not reporting data breaches within 72 hours (although this will significantly depend on the potential harm to individuals);
- Not complying with ICO deadlines (either under their information notice powers, or for conducting remediation activities);
- Not having in place Article 28 Data Processing Agreements where organisations need new data processors urgently;
- Not updating Article 30 records in a timely fashion; or
- Collecting health data (especially of visitors or guests).
However, having said this, organisations still need to be proportionate and be able to justify the decisions they make. These statements do not give organisations carte blanch authority to ignore the GDPR. The ICO has made it clear that you should avoid, if possible, disclosing the names of any individuals affected by the virus or collecting excessive health data on employees or visitors.
Ensuring Personal Data is processed lawfully is unlikely to be any organisations main focus during this crisis, but there are a number of simple steps you can take to ensure that you can justify your actions later down the line. For example:
- Keep employees, visitors, customers and clients informed of what data you are collecting and who they can contact about it. A simple sign at the entrance to your office with a list of what data you are collecting and an email contact, although not perfect, will help.
- If you have a task force or crisis committee, ensure that they review any proposed collection techniques. If possible, the DPO should be a member of these committees.
- Continue to apply security controls when sharing data (e.g., encryption and pseudonymisation techniques).
- Consider the rights and freedoms of individuals, the use of additional tracking and/or monitoring technologies on your employees is unlikely to be justified purely because of Coronavirus.
- Limit access to and use of the additional data you collect. Health data collected specifically for Coronavirus should not be entered onto standard HR or CRM platforms without strict controls in place.
- Draft telephone scripts or template emails that explain to individuals that their requests may take longer to respond to.
- Ensure any disclosures, announcements or bulletins go through an appropriate approval channel and where possible unique identifiers such as names have been removed.
- Ensure you inform the regulator in advance if you are unable to meet regulatory deadlines.
It is particularly important to note that any flexibility offered by the regulators during this crisis will quickly come to an end when we return to business as usual. Organisations must review and delete this additional data as soon as it is no longer relevant. The ICO and other international regulators will have little sympathy for organisations that retain this data and will be particularly mindful of anyone trying to exploit this data for commercial gain.
During this time it is about demonstrating that you are considering the potential impact of your actions and having some confidence that you can justify these actions in six months’ time. If you would like to discuss what practical steps you can take, please get in contact with Keily Blair, head of the Cyber & Data Privacy Enforcement & Litigation Practice in London.