Information Law – Guidance in the COVID-19 era
Editors note: Some links in this article to the ICO website have been removed as the information referred to is no longer accessible – January 2024.
There has been plenty of guidance and other information published over the past few weeks to assist clients with managing data protection issues and we thought it may be useful to summarise some of it here.
First, just yesterday, the ICO published its Regulatory Approach during the coronavirus public health emergency. This acknowledges that organisations are facing staff and operating capacity shortages, redeploying resources to meet new demands and facing acute financial pressures. The ICO notes that it will act in a manner which takes into account these circumstances when exercising its enforcement powers and will have an “empathetic and pragmatic approach” which will focus efforts “on the most serious challenges and greatest threats to the public” and involve the “application of flexibility in regulatory response.”
Second, for those involved in information rights litigation, it is important to note that the First Tier Tribunal has now issued a general stay of all proceedings lasting 28 days from 1 April 2020. However, the directions for a general stay also make it clear that they do not apply to any cases which have been given specific directions on or after 1 April 2020 and parties may apply for variation of directions if they wish to do so.
Third, the ICO has launched a new data protection and coronavirus information hub.
This contains helpful guidance for data controllers and explains that:
1. While the ICO cannot extend statutory timescales, it will not penalise organisations who fail to respond to information rights requests within the usual timeframe if organisations need to prioritise other areas or adapt their usual approach during this period.
2. If staff are working from home (as the vast majority of us now are), organisations should ensure that they have the same kinds of security measures for homeworking as they would have in normal circumstances; and
3. Organisations may collect health data about COVID-19 from employees in order to protect the health of other employees.
This general guidance for data controllers is reiterated by two bits of specific guidance. First, there is FOI and Coronavirus guidance where the ICO has some reassuring words for data controllers, noting:
“We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”
Second, there is specific advice for healthcare professionals. There the ICO explains that:
“Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.”
As well as all of the above, the ICO has published a helpful blog for community groups who may have data protection concerns most of which is echoed and amplified in the very helpful guidance published last month by Matt Lewin.
For those wearing their data subject hats, the ICO has published helpful advice about avoiding scammers during the pandemic which notes, rather alarmingly, that Action Fraud has reported a 400% rise in Coronavirus Fraud Reports. The advice focuses on the importance of pausing when you read emails and considering matters such as the legitimacy of the sender’s email address, spelling, punctuation and grammar, whether you have an existing relationship with the sender and whether the sender is asking you to urgently verify details within a specific time limit.
In response to those who have concerns about the use of mobile phone location data, Deputy Commissioner Steve Wood has also explained that:
“Generalised location data trend analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified. In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place.”
This echoes the views of the European Data Protection Supervisor and guidance published by the European Data Protection Board which adds that data protection rules such as the GDPR do not hinder measures taken in the fight against the COVID-19 pandemic but even in these exceptional times, data controllers and processors must still ensure the protection of the personal data of data subjects. In particular, there must still always be a lawful basis for processing and any measures taken by organisations must respect the general principles of law.
Although the UK authorities remain tight lipped about an exit strategy, this week the EU Commission published its recommendations for a common approach or ‘toolbox’ to using mobile apps and location data to combat and exit COVID-19. This toolbox will focus in particular on (1) the need for a pan-European approach for the use of mobile applications to enable targeted social distancing measures and for warning, preventing and contact tracing and (2) a common scheme for using anonymised and aggregated data on population movement to model the evolution of the disease, monitor effective social distancing and confinement and inform a coordinated exit strategy. However, the focus on data protection remains, with the recommendation noting that “paramount throughout the process should be respect for all fundamental rights, notably privacy as well as data protection, the prevention of surveillance and stigmatisation.”
Finally, for those curious about the approaches being taken a little further afield, Hunton Andrews Kurth has helpfully published English language versions of COVID-19 guidance published by the German, Dutch, Belgian and French data protection authorities. The common thread from all of the guidance appears to be that while data protection rules should not hinder the fight against COVID-19, and regulators may show some flexibility, employers and other organisations must still ensure they comply with data protection requirements and not, as the Dutch suggest, allow this crisis to become a prelude to a “Big Brother” society.
As always, the Information Law Team at Cornerstone Barristers are ready and able to assist you with any data protection and information law issues that may arise over the coming weeks and months.