COVID-19 – data protection dos and don'ts

In the present climate, we can find ourselves collecting and potentially sharing personal information for different purposes and having to adapt to new ways of working that have an impact on our established approaches to information governance.

Data protection law is not an obstacle to doing what is necessary and proportionate when processing personal data in order to provide healthcare, manage and protect public health, contain pandemics and protect employees, yet while extraordinary times may call for extraordinary measures, the law and principles of data protection persist and cannot be entirely thrown off.

Having to work in new ways will often involve navigating new compliance challenges. The following pointers can help assess the risks and manage the data protection compliance considerations arising from the response to COVID-19, but note that they are not comprehensive – all the usual aspects of GDPR and the DPA18 continue to apply.

Lawful processing

Do

• Consider the lawful grounds for your processing. The GDPR and the UK Data Protection Act 2018 both anticipate grounds for processing where necessary in the context of containing and managing the response to a pandemic by data controllers, including by both public authorities and employers (see also our articles on processing personal data related to COVID-19 and on sharing personal data in the context of COVID-19 for more information about the lawful grounds relevant to personal data processing).
• Assess whether the proposed collection and intended use of personal data is necessary on the basis of the grounds relied on.
• Where processing sensitive (special category) data on substantial public interest grounds, ensure that you have an 'appropriate policy document' in place for the period of the processing and for 6 months following the end of the processing. This need to set out your procedures for ensuring compliance with the data protection principles and your policies for retention and erasure. Keep the policy under review.
• You are unlikely to be prevented from lawfully sharing information on the basis of a properly framed request by a public authority. However, find out as much as you can about the authority of any agency asking for information and the intended use/s for the data. You need this to assess whether there is a lawful basis for sharing information.

Don't

• Rush to collect, use or disclose in haste personal information without understanding whether there are applicable lawful grounds.
• Don't be pressured into simply complying with a sharing request because of its source without understanding the purpose of the requested disclosure and the necessity of the data to that request. In the absence of a compelling legal instrument or legal obligation, then sharing the data is not mandatory but may yet be achieved within the existing legal framework.

Proportionality

Do

• Collect and use the minimum data needed for your purposes.
• Only collect information necessary to manage containment and protect your employees and others. For example, it would be reasonable to ask employees or visitors to inform you if they have tested positive or been exposed where you then process that information only in order to protect the workforce and enable containment of the risk posed to others.
• Consider when responding to a request for information whether the purpose of the request can be achieved by providing anonymised information or if not fully anonymised, whether the data can be pseudonymised.
• Apply the proportionality principle and seek to consider the least intrusive solution for any proposed processing.

Don't

• Do not engage in the systematic and broad collection of large amounts of information on employees or others – for example, by requiring the completion of detailed health questionnaires about themselves, their family or their situation or requiring the provision of health declarations in the absence of any legal obligation.

Transparency

Do

• Keep employees generally informed of the containment and protective measures you are taking, and the numbers of cases within the workforce without disclosing more information than necessary.
• Update and communicate notices and privacy statements to individuals reflecting any changes in the collection of personal information and the use or disclosure of that information in connection with managing COVID-19.
• If you decide to share personal data determine whether you need to inform the affected data subjects that you have done so (your privacy notices or terms with them may cover this possibility already, depending on your relationship with them). An assessment of this should take place as soon as possible.

Don't

• Do not disclose information to employees revealing the identity of colleagues who have tested positive to COVID-19. The only exception to this may be where a disclosure is to a specific employee(s) who may themselves have been exposed to the affected colleague and where disclosure is a necessary containment and protective measure.

Confidentiality and security

Do

• Take steps to ensure that those whose role in the organisation require them to have access to sensitive health information have been instructed in the importance of maintaining the confidentiality of such information and are subject to appropriate obligations of confidentiality.
• Consider whether any service providers will, by reason of their role, have access to sensitive (special category) information of individuals and consider the scope of the processing terms in place and whether any updates or enhanced protections are necessary in light of their processing this information. This may also include ensuring any legal adequacy mechanisms relevant to personal data transfers are implemented.
• Revisit security measures and guidelines to ensure that the confidentiality and security of personal data are safeguarded when working remotely. This may include the use of secure home networks and Wi-Fi, reinforcing guidelines concerning use of personal devices, use of secure file site and data sharing protocols and considering secure storage of paperwork and other materials that include personal information when not in use.
• Remind staff to be alert to cybersecurity risks associated with scammers, blaggers and COVID-19 related phishing emails.
• Reinforce and communicate polices for ensuring data breaches are identified and immediately reported.
• Consider remote training on confidentiality and security for employees who are remote working for the first time.

You can also read more in our article on staying cyber safe during the pandemic.

Don't

• Do not reveal confidential information of colleagues who have tested positive for COVID-19. It's worth restating that the only exception to this may be where a disclosure is to specific employee who may themselves have been exposed to the affected colleague and where disclosure is a necessary containment and protective measure.
• Do not ignore the security risks associated with homeworking.
• Don't make any permitted disclosures of personal information without ensuring the transmission is secured, whether by encryption, secure file site or other secure mechanism.
• Don't create a climate of fear that has an unintended consequence of making employees reluctant to identify and report up any issues and concerns relating to security and data breaches that you need to be aware and act on.
• Don't skip doing security diligence or implementing appropriate contractual processing safeguards for vendors you bring in to provide COVID-19 related support. It's important to have a clear picture of their security strengths and weaknesses and put robust terms in place, even if there is pressure to complete on-boarding.

Retention

Do

• Identify, determine, document and keep under review, the retention periods relevant to any new collection of data and sensitive (special category) data in managing the COVID-19 response.
• Ensure any 'appropriate policy document' (see lawful processing above) explains your policies for retention and erasure of the personal data being processed.
• Ensure your record of processing (see accountability below) identifies whether any personal data processed on the grounds of a substantial public interest condition is retained in accordance with your relevant retention schedule (or if not, the reasons why not).

Don't

• Don't forget to schedule a subsequent review of collected data and delete data as soon as it is no longer required. Such information should only have relevance for a short period during the emergency and should not be retained for longer than necessary after that.

Rights

Do

• Continue to take steps to respond to rights of individuals. The timelines for response are set down in law and can't be changed although it is likely that the ICO will take account of any real impact of COVID-19 on your ability to respond within the required timeframe.
• Keep records relevant to your handling of rights requests, including where  COVID-19 imposed constraints on your effective handling of any particular rights request (as that may be relevant as mitigation in the event of a complaint to the ICO).

Don't

• Do not ignore rights requests from data subjects if you wish to avoid manageable privacy concerns evolving into a significant privacy and compliance headaches.

Accountability

Do

• Update records of processing to include categories of personal data collected and processed for COVID-19 purposes and, in the case of sensitive (special category) processing carried out in the UK, on substantial interest grounds. Ensure the record of processing sets out the nature of the lawful condition relied on in addition to identifying the lawful grounds relevant to personal data processing under Art 6 GDPR.
• Do consider whether you need to conduct and document a Data Protection Impact Assessment (DPIA) where you are processing sensitive (special category) information, particularly in the context of employees and where due to the size of your organisation the processing may be on a large scale.
• Maintain records of your handling of any rights requests and complaints along with records relevant to any particular COVID-19 related factors that were relevant either to the circumstances of the request or complaint or were a constraint on your effective handling of the complaint.
• Review and update policies and guidance where necessary

Don't

• Don't forget good record keeping and policies will help promote efficient working and provide evidence to support your compliance or to demonstrate any real challenges hindering compliance efforts.
• Don't get bogged down with drafting long cumbersome procedures given the urgency and (hopefully) short period of the emergency. Focus instead on presenting simple clear points that will help employees understand the key compliance messages.
• Don't forget to be alert to, contain, log and where required report any data breaches.

Communications and marketing

Do

• Remember that if you are a public health provider or healthcare professional you can communicate public health messages without needing to consider e-Privacy rules relevant to marketing communications.
• Remind remote working sales teams that proactive marketing approaches to customers must still be in compliance with data protection and ePrivacy rules.

Don't

• Don't send communications that ostensibly promote an organisation's brand or services, even where it refers to COVID-19, unless with the prior consent of the subject or in reliance on a lawfully permitted exception. Such communications will be marketing.

International and transfers

Do

• Check local advice relevant to the regulatory position including taking account of any specific legal mandates for or constraints on processing relevant to wherever you have a legal presence.
• Remember that the usual rules around data transfers to third countries apply.

Don't

• Don't assume that the law or local regulatory position will be same in every country where you have 'feet on the ground'.