• Home
  • News
  • Data protection and coronavirus: what you need to know

13 Jul 2020

Data protection and coronavirus: what you need to know


Managing data protection and privacy risks while dealing with responding to the threat posed by Covid-19 is a challenge. However, organisations handling personal data should be reassured that data protection law will not prevent them from responding to the pandemic appropriately.

It is important not to let this crisis lower your usual data protection standards, since they are no barrier to protecting your employees, customers and third parties. The rights and obligations conferred by data protection law are fundamental and, what's more, they are entirely consistent with taking steps to tackle coronavirus.

International data protection regulators have been publishing lots of guidance on how to deal with coronavirus while respecting data protection law. Guidance from the ICO (available through its coronavirus hub) will be of particular interest to our UK clients, and the EDPB is also working to promote a common approach to the use of mobile apps and data in fighting coronavirus and has mandated its subgroups to produce guidance on geolocation and tracking tools; and on processing health data for research purposes in the context of Covid-19. The National Cyber Security Centre's guidance and the ICO's security checklist for home and remote working by employees are also valuable, as they cover practical steps for managing security.

The key guidance, taken together with views from other countries' regulators, plus some of the issues we've seen arising in the market, can be summarised to give the following takeaways for UK organisations:

  • Response times and information governance: Organisations are being reassured that they will not be penalised if they need to prioritise other areas or adapt their usual approach to dealing with requests or complaints from data subjects during the pandemic.

    The ICO is one of a handful of pragmatic regulators to explicitly say that it understands that businesses may not be able to meet the same standard of response times to information rights requests as they would under normal circumstances. Therefore, while it is unable to officially extend statutory timescales, it has said that it will seek to advise complainants that they may experience understandable delays when making requests during the pandemic. It has published a paper on its approach to regulation during the pandemic, which states that it is prioritising its resources, and that while, for example, data breaches must still be reported within 72 hours, it will “take an appropriately empathetic and proportionate approach”, recognising that the current crisis may impact organisations’ response times. In deciding whether to take formal regulatory action, including issuing fines, the ICO will also take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. Organisations may be given longer than usual to rectify any breaches that predate the crisis, where it has impacted the organisation’s ability to take steps to put things right. The ICO has also released an updated list of priorities over the coming months which focusses primarily on protecting the public interest, enabling responsible data sharing and monitoring and intrusive and disruptive technology.
    Certain organisations have also changed their procedures for checking the identity of those making a subject access request during the coronavirus outbreak. For example, subject access requests made to the Disclosure and Barring Service by email may be accompanied by scanned images of ID documents, rather than hard copies. While there has still been no official word on whether subject access and other information rights requests may be more likely to be "complex" at present, we consider that this may be arguable in some circumstances, for example where it is difficult to access records that are kept in an office that is currently closed. If a request is complex, controllers have an additional two months to respond to it.
  • Disclosing to staff that a colleague may have contracted Covid-19: Data protection law is not a barrier to keeping staff informed about any confirmed or potential cases within the organisation. This is because businesses have an obligation to ensure the health and safety of their employees, which may provide the legal basis for employers' processing of certain health data. Other grounds may also apply to this disclosure, such as vital interests or the public interest in public health by protecting against cross-border threats. Consent is unlikely to be an appropriate or necessary legal basis.
    It will not usually be necessary to tell other staff members the names of infected colleagues, and only necessary information should be collected and disclosed to other staff members, in line with the principles of data minimisation and proportionality.
    However, it may be the case that it is necessary to inform immediate team members of their colleague's diagnosis, for example for contact tracing purposes. If this is the case, we would suggest that this is done on a "need to know" basis to select staff members only, with the affected employee being warned in advance that certain colleagues are being informed. Ideally notification should also be carried out verbally, rather than in writing, and in confidence. This will minimise unnecessary recording of health information, which carries additional risks of an email being forwarded to an unintended recipient. Verbal disclosure may even take the disclosure out of the ambit of data protection legislation entirely, as it does not cover purely verbal communications, and it may help to make the disclosure less intrusive.
  • Workplace health testing: Data protection law does not prevent organisations from taking necessary steps to keep staff and the public safe and supported during the pandemic. As more sectors start to return to work, some are considering carrying out tests to check whether staff and/or visitors have symptoms of Covid-19. Provided there is a good reason for doing so, it is possible to process health data about Covid-19. This good reason may include “public task” for public authorities or “legitimate interests” for other public or private employers. If health data is being collected, there are stricter compliance requirements as the data is deemed to be more sensitive and a further condition will need to be satisfied such as employment-related obligations, preventative or occupational medicine or public interest in the area of public health.
    Some organisations will have seen other countries using temperature checking to collect data on employees and visitors. There are differences of opinion between supervisory authorities as to whether it is acceptable to conduct mandatory temperature checks on workers or visitors. The key factor to bear in mind is whether such checks are necessary, or whether there is another less intrusive way of checking on the individuals’ health. As mentioned above, it will also be necessary to consider what lawful basis is appropriate for temperature checks.
    As lockdowns begin to lift and people begin to return to work, more intrusive health checks may be justified in some circumstances for both public and private organisations. When weighing up the necessity of temperature checks, it is worth considering the fact that many people are “silently” infectious without having a fever or other symptoms, so temperature checks may be of limited use in stopping the spread of the virus.
    If temperature checks are considered appropriate, a Data Protection Impact Assessment (“DPIA”) should be carried out, to assess the risks and the measures that can be taken to mitigate them.
  • Privacy Notices and other key requirements: Organisations should ensure clear and accessible privacy notices are available and have been updated to provide for any data being processed in connection with anti-coronavirus measures. Privacy notices should include information such as what data will be collected and the purposes for which it will be used; with whom it will be shared; the length of time for which it will be retained and how people can exercise their rights over it, for example the right to erasure.
    On 23 June 2020, the UK government announced that businesses reopening (such as pubs, hairdressers, restaurants and museums) should collect and record customers' and visitors' contact details in order to assist with any future test and trace efforts. If personal data is being collected on visitors and / or customers to a business premises, it may be most appropriate to place the privacy notice where their information is being collected, such as at the front desk.
    In light of the new government guidelines, the ICO has published some guidance on how businesses should protect customer and visitor details in line with their data protection obligations. They advise businesses to follow the following five steps: (1) ask only for what's needed (e.g. name, contact details and time of arrival; (2) be transparent with customers; (3) carefully store the data; (4) don't use it for other purposes such as direct marketing, profiling or data analytics; and (5) erase it in line with government guidance and do not keep the data for longer than government guidelines specify. 
  • Public health messages and direct marketing: The government, NHS or health professionals may lawfully send public health messages to people by phone, text or email and these will not constitute direct marketing. As usual, it will be important to make sure that these messages only contain public health messages, in order to ensure that they are not considered direct marketing.
    In the same vein, we have noticed many companies sending out service updates in the light of protective measures against coronavirus. While true service messages are not considered to be direct marketing, if those messages also contain promotional content, they will also be covered by PECR. This means that they must be screened against suppression lists and only sent in accordance with the PECR prior consent requirements. The public health crisis must not be used as an excuse to circumvent the normal marketing requirements.
  • Homeworking and security: Data protection law does not prevent staff from using their own device or communications equipment in their own homes. The GDPR's security obligations still apply and businesses will need to consider the same kinds of security measures for homeworking that one would use in normal circumstances. This will be particularly important due to the increased number of cyber-attacks in the last few weeks, as hackers attempt to exploit changes to working habits and anxiety over the pandemic to influence people to take more risks than they normally would online. Organisations may wish to put in place, or update, policies covering how staff members should deal with confidential information and business personal data when at home – for example, locking information away at the end of the day, and limiting the use of devices that can record conversations, such as Alexa or Google Assistant, in the proximity of business calls.

    As mentioned above, the ICO and the NCSC have both issued guidance on this topic.

    The ICO covers steps such as:

      • Putting in place clear policies, procedures and guidance for staff who are remote working including accessing, handling and disposing of personal data;
      • Reminding staff to use unique and complex passwords;
      • Only giving key staff full access to cloud storage areas with other members of staff having read, write, edit or delete permissions where appropriate;
      • Having account lockouts in place after a certain number of failed logins; and
      • Reviewing and implementing the NCSC guidance on defending against phishing attacks. 

    The NCSC guidance covers steps such as:

      • Authentication – two factor authentication is particularly important to mitigate the risks of remote access. Regular password strength should be maintained.
      • Devices – an enhanced risk of device loss makes encryption even more important. Organisations should ensure that their rules on keeping software and malware protection up-to-date are maintained.
      • VPNs – these should be implemented in order to minimise the risk of intrusions through home networks.

    The NCSC also stresses that it's important that businesses educate their staff to make them aware of the enhanced phishing risks at play at the moment, as individuals are more susceptible to clicking on a coronavirus-related link. Their recommendations include producing "How do I?" guides for employees, providing necessary training and tips on how to spot coronavirus email scams.

  • Device tracking: The launch of the UK contact tracing app has been delayed until further notice with some expecting it to be ready for winter. It is hoped, once rolled out, that it will assist in controlling the spread of Covid-19 as lockdown is eased. The app is designed to inform people if they have been in close contact with someone who later reports Covid-19 symptoms. The app will run in the background of the phone, using Bluetooth signals to sense another phone with the app coming into range and measure how far away that person is. If a user develops symptoms, they report these in the app and will be asked to complete a questionnaire. The answers will then be analysed by an NHS artificial intelligence programme and if it decides the symptoms meet a threshold for Covid-19, it determines that the user should self-isolate for 14 days. The AI programme will then analyse the people who that user has been in contact with to decide the potential risk of infection for each individual who was exposed to the user. People determined to have had “high risk” contact with someone reporting Covid-19 symptoms will be sent an alert advising that they self-isolate for 14 days. 
    The UK government scrapped its original plan to develop a centralised app after experiencing major flaws during the pilot on Isle of Wight and will now adopt the decentralised approach designed by Apple and Google. This means data collected on the app will no longer be sent to a centralised NHS server but rather stay on individuals’ phones.  
    The general view of supervisory authorities, including the ICO, is that contact-tracing may be used to help fight coronavirus, provided it complies with data protection law. 
    Trust will be essential for the app to work as intended. The European Data Protection Board has emphasised that the majority of the population will need to sign up to the app and some have suggested as much as 60% of the population will have to download and use the app in order for it to have the desired effect. 



Katie Hewson

Katie Hewson

T:  +44 20 7809 2374 M:  Email Katie | Vcard Office:  London

Naomi Leach

Naomi Leach

T:  +44 20 7809 2960 M:  +44 7769 143 367 Email Naomi | Vcard Office:  London