Data protection no barrier to managing coronavirus

Both the UK's Information Commissioner's Office (ICO) and Data Protection Commission (DPC) in Ireland have issued statements on data protection and coronavirus, which is officially named Covid-19.

Data protection law expert Nicola Barden of Pinsent Masons, the law firm behind Out-Law, said the statements would help reassure businesses and that they contain useful guidance.

"The statements stress that data protection law does not stand in the way of the provision of healthcare and the management of public health issues," Barden said. "This is helpful as organisations often worry about data protection requirements in situations where data protection should not prohibit them from taking necessary action, particularly in situations like responding to Covid-19."

Guidance from the ICO and DPC highlight, however, that organisations processing personal data in managing issues concerned with the virus outbreak must continue to respect data protection principles, such as ensuring that personal data is secure – by minimising access, ensuring strict timelines for erasure and adequate staff training, for example – and keeping the personal data collected to the minimum required.

"At all times, the processing of personal data in relation to measures responding the Covid-19 should be necessary and proportionate, which will be informed by the guidance and/or directions of public health authorities, or other relevant authorities," Barden said.

In its guidance, the DPC suggested some lawful bases that might be appropriate in relation to processing of personal data related to Covid-19. This includes where processing is necessary for compliance with a legal obligation, such as their duty to protect employees from coronavirus issues under health and safety legislation, or where processing is necessary to protect the vital interests of an individual data subject or other persons.

The DPC's guidance also sets out questions that the regulator said it has received from employers regarding data protection and coronavirus in an HR context, as well its answers to those questions. This 'Q&A' section addresses how employers can use personal data to monitor the spread of Covid-19, what personal data they can collect from their employees, and what they can tell employees if a member of staff contracts the virus.

"This is really useful as employers are facing situations and dealing with special category health data in ways that they may not have had to before," Barden said. "For example, the DPC has stated that an employer would be justified in informing staff that there has been a case, or suspected case, of Covid-19 in the organisation and requesting them to work from home, but that the communication should not name the affected individual."

In its statement, the ICO said it recognised that Covid-19 poses "unprecedented challenges" and tried to reassure organisations about the regulatory approach it will adopt over the period.