As the country faces the direct consequences of the Coronavirus pandemic, there are questions arising about how data is to be handled in the extraordinary circumstances we are in.
In this briefing, we consider some of the key issues which businesses and other service providers are asking about.
You can also subscribe to our Business Hub updates here.
One area of focus is around what can be done with health information of individuals who can be identified from the information. While it is important to ensure that appropriate protection continues to be given to personal data and that medical confidentiality is respected, it is also inevitable that many organisations, including employers and service providers, will need to process more personal data relating to the health of their employees or customers than before.
Data protection authorities across the world have been issuing guidance on the need to balance privacy with necessary and proportionate processing to protect health and safety and more generally public health, with the need to take steps to prevent the spread of the virus and to protect human life.
Data protection law does not stop public bodies, healthcare providers or other service providers or employers from undertaking processing in connection with needs arising from the pandemic. However, data controllers should understand the basis for any new processing and seek to ensure that it is done in compliance with the law.
In the case of employers, many employees across the public and private sector have moved to home-working. This is likely to require employers to process and share a greater amount of personal information in terms of contact details in the context of implementing contingency plans.
Consideration should be given to how much additional information is needed and the relevant condition in Article 6 of the General Data Protection Regulation, e.g. for processing necessary for the performance of a contract in some cases or, in others, for processing necessary in the legitimate interests of a data controller.
Data Protection law does not prevent people from working from home, but consideration still needs to be given to ensuring that security measures are in place to ensure compliance with the principle of integrity and confidentiality of data, for example, through appropriate IT security and organisational measures and policies. Many organisations will have laid the groundwork for such arrangements, through effective contingency planning. Others will need to address issues to ensure that arrangements comply with data protection law.
More information being sought from employees
In respect of health information, it is inevitable that data controllers are going to need to ask for more information about the health of people, for example, employers asking employees if they have any symptoms or if they have any conditions that make them more vulnerable.
They may also be yielding information about the health of others, for example, where an employee is asked if they have any caring responsibilities that have increased as a result of the virus and health conditions of relatives.
Service providers beyond those in the health service may also be asking for health information about service users or those they live with, in the context of risk management, for example, if a company is being asked to send someone out to someone’s property.
Article 9 of the GDPR
Where health data is being collected, it is important for data controllers to consider what condition they can rely upon in Article 9 of the GDPR, noting that health includes physical or mental health or conditions.
For employers, they can look to Article 9(2) of GDPR for a legal basis to process special category personal data in the form of health information – for processing necessary for an employer to comply with a legal obligation; they may also have grounds to look to Article 9(2)(i) for processing that is necessary in the public interest in the sphere of public health, as might other service providers.
For each processing operation using health data, a data controller should be recording not only the Article 6 condition that they are relying on, but also their Article 9 condition under GDPR. Other provisions in Article 9(2) might also apply, depending on the circumstances.
If a data controller already held certain health data prior to the Coronavirus pandemic for another purpose, they should consider how they can comply with the GDPR’s data protection principles if they wish to process that personal data for a new purpose – even if they consider it to be in the interests of the person concerned, for example, to manage risks they may be exposed to. Where such use is considered, data controllers should also take steps to ensure that the personal data is up to date and accurate.
The approach of the Information Commissioner
The UK Information Commissioner (the ICO) has issued guidance in which she notes the “unprecedented challenges” that are presented by the Coronavirus pandemic, to provide some reassurance about how data controllers meet their various obligations under the Data Protection Act 2018 and the General Data Protection Regulation. Data protection law contains a number of time limits for data controllers to comply with various requirements of the law, such as dealing with data subject requests.
The ICO has indicated that she will not take regulatory action where data controllers take longer than usual to deal with requests, in acknowledgement of the fact that organisations may have to divert essential resources from dealing with these requests to other areas of work. While the ICO cannot extend statutory timescales for compliance under data protection law, she will not penalise organisations for prioritising other key business areas as a result of the current extraordinary circumstances and her own office will be informing people that they may experience delays at the current time in relation to the exercise of information rights.
It’s important for data controllers to ensure that any new processing arrangements are undertaken in accordance with the principles of transparency and accountability. This includes clarity about the purpose for collecting personal data and how long it will be used and retained for.
In that regard, data controllers should review their Privacy Notices under the GDPR to ensure that they are updated where required to cover these activities, including the categories of data, purposes, retention periods and disclosure to any third parties. In terms of accountability, this means documenting their decisions about what information is being processed in the circumstances of the Coronavirus pandemic and keeping that processing under review.
For help and advice, our Business Resilience Group is ready to speak to you. For further information on data protection matters, contact Fiona Killen or Douglas McLachlan and for business issues generally, contact our group lead, Neil Amner directly.