Covid-19: Data protection and coronavirus Q&A

1.     Will the Information Commissioner’s Office (ICO) take action against us if we are not able to maintain our data protection practices to our usual standards?

 No: The ICO have said that it will not penalise organisations whilst they need to prioritise other areas or adapt their usual approach during this extraordinary period. While the ICO cannot extend statutory timescales, it will tell people that they may experience understandable delays when making information rights requests during the pandemic.

2.     My staff are homeworking. Are there additional security measures I should have in place?

No: Data protection law does not prevent staff from working from home and using their own device or communications equipment. You will need to consider the same kinds of security measures for homeworking that you would use in normal circumstances.

3.     Can I tell my staff that a colleague may have potentially contracted COVID-19?

Yes: You should keep staff informed about cases in your organisation. You should not provide more information than necessary and therefore you probably do not need to name individuals. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection does not prevent you from carrying this out.

4.     Should I collect health data in relation to COVID-19 about employees?

No: You have an obligation to protect your employees’ health, but that does not necessarily mean you need to gather information about them. It is reasonable to ask people to tell you if they are experiencing COVID-19 symptoms and to advise them to follow government advice if they are. Do not collect more data than you need and ensure that any information collected is treated with the appropriate safeguards.

5.     Can I share employees’ health information to authorities for public health purposes?

Yes: It is unlikely that your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law will not stop you from doing so.