The Information Commissioner's Office (ICO) has issued guidance to organisations to reassure them that they recognise the unprecedented challenges they face during the coronavirus (COVID-19) pandemic and that they are here to help.
Within the guidance, the ICO confirms that it will not penalise organisations who are required to adapt their usual data protection practices, such as allocating individuals or finances to deal with the crisis. However, it warned about being proportionate.
The ICO also addressed the following common areas of concern:
- Although it recognises that usual practices may be adapted or delayed, it confirmed they would not be extending the statutory timescales. Instead, it will inform individuals through their channels of communication that they may experience delays during the pandemic when making information right requests.
- Data protection laws will not prevent the government, NHS or health professionals from sending public health messages by phone, text or email.
- Staff will not be prevented from working from home during the pandemic. However, organisations must ensure they are adhering to data protection legislation by following the same security measures for home working as they would in normal circumstances.
- Organisations are required to keep staff up to date with COVID-19 in the workplace. This may involve informing the staff that one of their colleagues is showing symptoms or has tested positive. This would not be prevented by data protection; however, organisations should avoid specifically naming individuals.
- Organisations are entitled to request that staff showing symptoms inform them and refrain from attending the workplace, and if necessary, call 111 for advice. In the unlikely event this is not enough and you need to collect specific health data, this must be limited to what is strictly necessary and treated with the appropriate safeguards.