The UK Information Commissioner (ICO) has issued some advice for data controllers in recognition of the significant challenges being presented by the Coronavirus (COVID-19) pandemic.
Among other things, in a move that will no doubt come as a relief to many data controllers, the ICO has confirmed that, during the pandemic, it will refrain from taking regulatory action against organisations which may not meet their usual standards in relation to data protection if the ICO is aware that such organisations need to change their usual practices or focus on other issues during the crisis.
The advice also covers the following areas:
the sending of public health messages regarding COVID-19 by healthcare organisations to individuals without prior consent;
security measures to consider when staff work remotely;
informing staff that co-workers may have contracted COVID-19;
collection of health-related data regarding COVID-19 about visitors and employees; and
the sharing of employees' health information with authorities for the purposes of public health.
Among other things, the advice highlights the need for organisations to protect against serious threats to public health and ensure employees' health and safety, while minimising the collection and use of personal data and acting in an appropriate and proportionate way in response to the crisis.
During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us? No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.