The Information Commissioner’s Office (ICO) recently issued general guidance on a number of data protection issues raised by the Coronavirus (COVID-19) pandemic. The guidance can be found here.
Amongst the issues addressed, the ICO has said that
- it understands that organisations may have to divert resources from normal compliance and information governance work to deal with other priorities and that may result in delays in dealing with information rights requests
- data protection should not be a barrier to homeworking but organisations need to consider putting in place the same kinds of security measures that would apply to workplace working
- organisations can keep staff informed about COVID-19 cases in the organisation but the information disclosed should not be more than is necessary to protect the health and safety of staff.
- organisations can ask staff reasonable questions for the purposes of protecting employee health. These might include questions about whether they had visited a particular country or are experiencing symptoms etc. The guidance does stress, however, that if specific health data has to be collected then organisations shouldn’t collect more than they need and any information collected needs to be subject to appropriate safeguards.
The advice is helpful and should help organisations to navigate some basic data protection issues when facing up to the immediate challenges being raised by COVID-19.
Ultimately, data protection should not be a barrier to processing personal data where that processing is proportionate and reasonable for the protection of health and the guidance recognises that.
With remote working, organisations should make sure that staff are reminded of what is/is not permissible in terms of ways of working. Staff should be reminded that data needs to be held securely in the organisation’s IT network or other approved environments – and not on ‘favourite apps’ that are outside the organisation’s control and security frameworks. As staff also adjust to changes in how they work, it is also worth cautioning them to the risk that hackers may seek to attack IT systems, seeking to exploit the disruption that the transition to homeworking arrangements may bring. Heightened vigilance will be required.
On March 18, 2020