Reasonable and Pragmatic Approach by UK’s ICO to GDPR Compliance during the COVID-19 Pandemic

March 24, 2020

Reading Time : 4 min

On March 12, 2020, the Information Commissioner’s Office (ICO), the U.K.’s data protection authority (DPA), published Guidance for data controllers on their data protection compliance obligations during the COVID-19 pandemic. The take-away point is that the ICO will take into account “the compelling public interest in the current health emergency” and will take a “reasonable and pragmatic” approach to enforcing data protection obligations. In light of this Guidance, the question of what particular steps are proportionate, in terms of General Data Protection Regulation (GDPR) compliance, will be of increasing importance while organizations and individuals navigate the pandemic.

The ICO states that it does not operate in isolation from matters of serious public concern. It recognizes the unprecedented challenges faced by data controllers as well as by society at large during the pandemic, and acknowledges the potential needs of organizations to share information quickly or adapt the way in which they work at short notice. The Guidance provides answers to six frequently asked questions about compliance with the GDPR during the COVID-19 pandemic, as summarized below.

1. Responding to data subject access requests (SARs)

The Guidance states that although the ICO cannot modify statutory timescales, it will not penalize organizations that it knows need to prioritize other areas or adapt their usual approach. Additionally, the ICO states that it has made provisions to inform the public through its own communication channels that they may experience delays when making SARs during the pandemic.

2. Health care organizations contacting individuals about COVID-19 without prior consent

The Guidance clarifies that the GDPR and electronic communication laws do not stop the U.K. government, the U.K. National Health Service or any other health professionals from sending public health messages (including about COVID-19) to people, either by phone, text or email, because these messages are not direct marketing.

In a nod to making use of technological advances, the ICO further states that data protection laws do not stop health professionals from using the latest technology to facilitate safe and speedy consultations and diagnoses. Further, the Guidance recognizes that public bodies may require additional collection and sharing of personal data to protect against serious threats to public health, as in the current pandemic.

3. Security measures and homeworking arrangements

During the pandemic, employees may work from home more frequently than usual. The ICO’s view is that data protection is not a barrier to increased and different types of homeworking. However, the ICO advises that organizations should consider adopting the same kind of security measures for homeworking that would be used under normal circumstances (see further details below).

4. Informing employees that a colleague may have contracted COVID-19

The GDPR does not prevent organisations from keeping staff informed about cases of COVID-19 among their workforce. However, data controllers must be prudent not to name individuals or to provide more information to colleagues than strictly necessary.

5. Collecting health data relating to COVID-19 from employees

Organizations must ensure that they do not collect more data than they need and that any data collected in connection with the pandemic must be treated with the appropriate safeguards. Examples of reasonable data collection may include asking employees (and/or visitors to an organization) whether they visited a particular country or whether they are experiencing COVID-19 symptoms.

6. Sharing employees’ health information with authorities

The GDPR will not stop organisations from sharing information with authorities about specific individuals, although it is unlikely that organisations will be required to do so in the first place.

Guidance from the EDPB and other DPAs

All (apart from three, at the time of writing) other European DPAs have now issued guidance on the impact of COVID-19 on GDPR compliance obligations. It is possible that as the global spread of COVID-19 continues to develop, European DPAs may revisit their guidance.

On March 19, 2020, the European Data Protection Board (EDPB) also adopted a formal statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB states that data protection rules, such as the GDPR and the e-Privacy Directive, do not hinder measures taken in the fight against the coronavirus pandemic. The EDPB underlines, however, that even in these exceptional times the data controller and processor must ensure the protection of the personal data of the data subjects. A number of considerations should therefore be taken into account to guarantee the lawful processing of personal data. The EDPB states that in all cases any measure taken in this context must respect the general principles of law and must not be irreversible. Certain issues, such as the use of mobile location data and matters concerning data protection in the employment sector, are specifically addressed in the EDPB’s statement.

Further, guidance about the impact of COVID-19 on data protection laws has been published by a few regulators outside the European Union, including Switzerland, Norway, Russia, Hong Kong, Singapore, Australia and Canada.

Please consider Akin Gump’s online COVID-19 Resource Center in relation to issues relevant to data protection, such as remote working, business/personal travel quarantine and sick leave obligations. Please get in touch with a member of the Akin Gump team if you would like more information on how your organization can ensure that it meets its data compliance obligations during the pandemic.

 Contact Information

If you have any questions concerning this alert, please contact:

Mark Dawkins
Email
London
+44 20.7661.5330

Jenny Arlington (nee Grozdanova)
Email
London
+44 20.7012.9631

Jay Jamooji
Email
London
+44 20.7012.9845

 

Share This Insight

Related Services, Sectors, and Regions

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.