• Home
  • News
  • Data protection and coronavirus: what you need to know

25 May 2021

Data protection and coronavirus: what you need to know


It is undoubtedly a challenge for organisations to manage data protection and privacy risks while also responding to the threats posed by Covid-19. However, organisations handling personal data should be reassured that data protection law will not prevent them from responding to the evolving challenges brought by the pandemic.

As lockdown measures are being lifted and the vaccine roll-out continues, attempts are being made to return to "business as usual". However, it is important for organisations not to let the relaxation of restrictions change their approach to personal data. In particular, the protection afforded to employees, customers and third parties should not be reduced. The rights and obligations conferred by data protection laws are fundamental and, what's more, they are entirely consistent with taking steps to tackle coronavirus.

Throughout the pandemic, international data protection regulators have published significant amounts of guidance on how to deal with coronavirus while still respecting data protection law. Guidance from the ICO (available through its coronavirus hub) remains of particular interest to our UK clients, and the EDPB is also working to promote a common approach to the use of mobile apps and data in fighting coronavirus. The National Cyber Security Centre's guidance and the ICO's security checklist for home and remote working by employees will continue to be valuable, as they cover practical steps for managing security.

Over the past year, international regulators and authorities have issued plenty of guidance in response to some of the issues that have arisen in the market. The key takeaways for UK organisations are as follows:

  • Response times and information governance: 

    While organisations continue to navigate and recover from the pandemic, they should continue to be reassured that they will not be penalised for prioritising other areas or for adapting their usual approach to dealing with requests or complaints from data subjects.

    The ICO is just one of a handful of pragmatic regulators to explicitly recognise that businesses may not be able to meet the same standard of response times to information rights requests as they would under normal circumstances. While the ICO is unable to officially extend statutory timescales, it has said that it will seek to advise complainants that they may experience understandable delays when making requests during the pandemic. In a paper published by the ICO on its approach to regulation during the pandemic, it is stated that it is prioritising its resources. For example, while data breaches must still be reported within 72 hours, the ICO will “take an appropriately empathetic and proportionate approach”, recognising that the current crisis may impact organisations’ response times. In deciding whether to take formal regulatory action, including issuing fines, the ICO will also take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right once the crisis has stabilised. It remains true that organisations may be given longer than usual to rectify any breaches that predate the crisis, particularly where it has continued to impact the organisation’s ability to take steps to put things right. 

    Certain organisations have also changed their procedures for checking the identity of those making subject access requests during the pandemic. For example, subject access requests made to the Disclosure and Barring Service by email may be accompanied by scanned images of ID documents, rather than hard copies. Until face-to-face meetings are legal, subject access and other information rights requests are likely to remain "complex". For example, this is likely to be the case where it is difficult to access records that are kept in an office that continues to be closed. If a request is complex, controllers have an additional two months to respond to it.

  • Disclosing to staff that a colleague may have contracted Covid-19: 

    Data protection law does not prevent organisations from keeping their staff informed about any confirmed or potential cases of Covid-19 within the organisation. This is because businesses have an obligation to ensure the health and safety of their employees, which may provide the legal basis for employers' processing of certain health data. Other grounds may also apply to this disclosure, such as vital interests or the public interest in public health by protecting against cross-border threats. Consent is unlikely to be an appropriate or necessary legal basis.

    In accordance with the principles of data minimisation and proportionality, only necessary information should be collected and disclosed to other staff members. It will not usually be necessary to disclose the names of infected colleagues to other staff members.

    However, it may be necessary to inform immediate team members of their colleague's diagnosis, for example, for contact tracing purposes. If this is the case, we would suggest that this is done on a "need to know" basis and that the affected employee be warned in advance. Notification should be carried out in confidence and verbally, rather than in writing. This will minimise the unnecessary recording of health information, which carries additional risks. Verbal disclosure may even take the disclosure out of the ambit of data protection legislation entirely, as it does not cover purely verbal communications, and it may help to make the disclosure less intrusive.

  • Workplace health testing: 

    Data protection law does not prevent organisations from taking necessary steps to keep their staff and the public safe and supported during the pandemic. As more sectors return to work, some organisations are considering whether they should carry out tests to check whether staff and/or visitors have symptoms of Covid-19. Provided that there is a good reason for doing so, it is possible for such organisations to process health data about Covid-19. This good reason may include “public task” for public authorities or “legitimate interests” for other public or private employers. If health data is being collected, there are stricter compliance requirements as the data is deemed to be more sensitive. As a result, a further condition will need to be satisfied such as employment-related obligations, preventative or occupational medicine or public interest in the area of public health.

    Some organisations will have seen other countries using temperature checking to collect data on employees and visitors. There are differences of opinion between supervisory authorities as to whether it is acceptable to conduct mandatory temperature checks on workers or visitors. The key factor to bear in mind is whether such checks are necessary, or whether there is another less intrusive way of checking the individuals’ health. As mentioned above, it will also be necessary to consider what lawful basis is appropriate for temperature checks.

    As lockdowns begin to lift and people begin to return to work, more intrusive health checks may be justified in some circumstances for both public and private organisations. When weighing up the necessity of temperature checks, it is worth considering the fact that many people are “silently” infectious without having a fever or other symptoms, so temperature checks may be of limited use in stopping the spread of the virus. If temperature checks are considered to be appropriate, a Data Protection Impact Assessment (“DPIA”) should be carried out to assess the risks and the measures that can be taken to mitigate them.

  • Vaccinations: 

    Although the UK government has the power to prevent, control or mitigate the spread of an infection or contamination, there is a strict prohibition on powers requiring mandatory medical treatment, such as vaccinations. Ultimately, it is up to an individual to decide whether they want to have the vaccine and it is therefore unlikely to be appropriate for an organisation to require its staff members to have the vaccine.

    That said, organisations may be within their rights to collect data about the vaccination status of their employees. The ICO has issued guidance which encourages organisations to only collect information about their employees’ vaccine status if there is good reason to do so. In practice, organisations should not seek this information unless it is necessary and proportionate to do so and, in any event, should only collect and retain the minimum amount of information needed to fulfil their purpose in collecting the data. A DPIA might be a sensible way to assess whether collecting information about the vaccination status of employees is necessary and proportionate in all the circumstances.

    Organisations should also ensure they have a proper legal basis for processing this data which, for the majority of public and private organisations, is likely to be legitimate interests. Vaccination status is health data and, therefore, ‘special category data’ under data protection law. This means that it requires an additional justification for processing, such as the employment or public health condition in Article 9 of the UK GDPR (as recommended by the ICO). If organisations do intend to rely on the public health condition, they must ensure that a qualified health professional carries out the processing or that individuals are notified that this information will remain confidential except in limited circumstances.  

    Organisations should note that consent is unlikely to be a suitable legal basis in an employment setting, given the imbalance of power between the employer and employee.

  • Privacy Notices and other key requirements: 

    Organisations should ensure that clear and accessible privacy notices are available. Such privacy notices must have been updated to provide for any data being processed in connection with anti-coronavirus measures. Privacy notices should include information about the data being collected and the purposes for which it will be used; with whom it will be shared; the length of time for which it will be retained and how people can exercise their rights over it, for example the right to erasure.

    Since 23 June 2020, the UK government requires businesses (such as pubs, hairdressers, restaurants and museums) to collect and record customers' and visitors' contact details in order to assist with any future test and trace efforts. If personal data is being collected on visitors and / or customers to a business premises, it may be most appropriate to display the privacy notice at the point where the personal data is collected, such as at the front desk.

    In light of the current government guidelines, the ICO has published some guidance on how businesses should protect customer and visitor details in line with their data protection obligations. They advise businesses to follow the following five steps: 

    (1)    ask only for what's needed (e.g. name, contact details and time of arrival; 
    (2)    be transparent with customers; 
    (3)    carefully store the data; 
    (4)    don't use it for other purposes such as direct marketing, profiling or data analytics; and 
    (5)    erase it in line with government guidance and do not keep the data for longer than government guidelines specify. 

  • Public health messages and direct marketing: 

    The government, NHS or health professionals may lawfully send public health messages to people by phone, text or email and these will not constitute direct marketing. It is important to make sure that these messages only contain public health messages so as to ensure that they are not considered direct marketing.
    In the same vein, we have noticed many companies sending out service updates in the light of protective measures against coronavirus and the roadmap detailing the relaxation of those measures. While true service messages are not considered to be direct marketing, those messages will be covered by the PECR if they contain promotional content. This means that they must be screened against suppression lists and only sent in accordance with the PECR's prior consent requirements. The public health crisis must not be used as an excuse to circumvent the normal marketing requirements.

  • Homeworking and security: 

    Data protection law does not prevent staff from using their own device or communications equipment in their own homes. The GDPR's security obligations still apply and businesses will need to consider the same kinds of security measures for homeworking that one would use in normal circumstances. This will be particularly important due to the increased number of cyber-attacks in the last few weeks, as hackers attempt to exploit changes to working habits and anxiety over the pandemic to influence people to take more risks than they normally would online. Organisations may wish to put in place, or update, policies covering how staff members should deal with confidential information and business personal data when at home – for example, locking information away at the end of the day, and limiting the use of devices that can record conversations, such as Alexa or Google Assistant, in the proximity of business calls.

    As mentioned above, the ICO and the NCSC have both issued guidance on this topic.

    The ICO's guidance suggests the following measures:

    • Putting in place clear policies, procedures and guidance for staff who are remote working (for example, in relation to accessing, handling and disposing of personal data);

    • Reminding staff to use unique and complex passwords;

    • Only giving key staff full access to cloud storage areas with other members of staff having read, write, edit or delete permissions where appropriate;

    • Having account lockouts in place after a certain number of failed logins; and

    • Reviewing and implementing the NCSC guidance on defending against phishing attacks. 

    The NCSC guidance suggests the following measures:

    • Authentication – two factor authentication is particularly important to mitigate the risks of remote access. Regular password strength should be maintained.

    • Devices – an enhanced risk of device loss makes encryption even more important. Organisations should ensure that their rules on keeping software and malware protection up-to-date are maintained.

    • VPNs – these should be implemented in order to minimise the risk of intrusions through home networks.

    The NCSC also stresses that it is important that businesses educate their staff to make them aware of the enhanced phishing risks at play at the moment, as individuals are more susceptible to clicking on a coronavirus-related link. Their recommendations include producing "How do I?" guides for employees, providing necessary training and tips on how to spot coronavirus email scams.

  • Contact tracing and surveillance:

    With the launch of the NHS’s track and trace app, many organisations in specified industries are now required to display an NHS QR code poster and are within their rights to encourage visitors to use the app to register their details. However, the government guidance is clear that businesses cannot make the specific use of the NHS QR code a precondition of entry. In other words, customers must have the choice to provide their personal details in some other way (for example, by way of a form), if they prefer. Further, visitors should only be asked to register their details by a single method: if a visitor chooses to use the Track and Trace app, organisations cannot request that the same visitor provides their personal data for contact tracing purposes.

    Where there are legitimate public interest reasons for sharing personal data, such as public health interests, data protection law does not prevent data sharing. Organisations can, therefore, disclose the personal data of employees, customers or suppliers when requested by contact tracing schemes. That said, where such disclosure is not mandatory but is based on a public task or legitimate interest grounds, data subjects are provided with a right to object to the processing. This right is not absolute and organisations may still disclose if they are satisfied that the public interests are greater than the individual interests of the data subject. In this scenario, it is crucial that organisations are able to justify the continued disclosure of personal data and so we would recommend that a DPIA is carried out prior to the disclosure.

    There may be situations where organisations wish to rely on surveillance footage to carry out a contract tracing exercise, particularly where a staff member has tested positive for Covid-19. Under data protection law, any surveillance of an employee needs to be necessary, justified and proportionate. In all cases, organisations should assess whether any monitoring is necessary in the specific circumstances and consider speaking to the individuals who would be affected by the use of surveillance technology. It should continue to be borne in mind that employees have legitimate expectations to a private personal life, including privacy in the workplace.

    Further, unless required by law to collect contract tracing data (particularly for organisations based in certain industries such as hospitality or close contact services), organisations should only collect information where there is a need to disclose information to a contact tracing scheme. Under no circumstances should organisations conduct contact tracing based on a ‘what if someone requests it’ eventuality.



Katie Hewson

Katie Hewson

T:  +44 20 7809 2374 M:  Email Katie | Vcard Office:  London

Naomi Leach

Naomi Leach

T:  +44 20 7809 2960 M:  +44 7769 143 367 Email Naomi | Vcard Office:  London