The Information Commissioner’s Office has issued practical guidance on dealing with data protection during the coronavirus (COVID-19) pandemic.
The ICO recognises the unprecedented challenges facing businesses and the need to share information quickly or to adapt the way in which they work. The key is proportionality – if something feels excessive, then it probably is.
There is recognition that resources might be diverted away from usual compliance or information governance work. The ICO will not penalise organisations that need to prioritise other areas or adapt their usual approach. The ICO is unable to extend statutory timescales, but understands there may be delays in responding to subject access requests.
The ICO answers some of the key questions that businesses might be facing, including:
“More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?”
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law does not prevent that, but you will need to consider the same kinds of security measures for homeworking that you would use in normal circumstances.
“Can I tell my staff that a colleague may have potentially contracted COVID-19?”
Yes. You should keep staff informed about cases in your organisation. You probably do not need to name individuals and you should not provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care.
“Can I share employees’ health information to authorities for public health purposes?”
Yes. It is unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law will not stop you from doing so.
The ICO’s guidance is available at https://ico.org.uk/fororganisations/data-protection-and-coronavirus/