It is important that you are aware of your requirements as a data controller under the data protection legislation. However, amid the global pandemic, this should not prevent you from taking necessary measures to prevent the spread of Coronavirus.
It has been two years since the implementation of the GDPR and organisations are often still uncomfortable identifying the lawful basis applicable to their processing of personal data.
To recap, a data controller can process personal data under any of the following lawful bases:
- necessary for the performance of a contract
- necessary for compliance with a legal obligation
- necessary in order to protect the vital interest of the data subject
- processing is necessary for the performance of a task carried out in the public interest
- processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party
Processing of personal data will likely be required in connection with the pandemic facing us all at this time. The lawful basis for processing relating to the outbreak for an organisation would in all probability be legitimate interest, in the public interest or in compliance with a legal obligation.
The Information Commissioners’ Office (ICO) has released updated guidance on 16th March 2020 on the impact of Coronavirus on data protection.
In particular, it has stated that it is aware that businesses need to divert resource towards dealing with the issues that Coronavirus is presenting. The ICO has stated that it will not penalise organisations where they know there has had to be prioritisation and/or adaptation at this time.
The ICO are not able to extend statutory timescales (such as the period to respond to a subject access request) however, they will be making it clear to data subjects through their own channels that there may be delays to responses during the pandemic.
In terms of employer/employee responsibility, data protection does not stop organisations from informing employees about Coronavirus cases within its organisation; in fact the ICO has been clear that organisations should actively be doing this to fulfil their duty of care to employees. However, the ICO has reminded organisations to be mindful of how they do so. For example, in many cases it is unlikely to be necessary to name individuals widely within an organisation and you should think about which other information is actually necessary to be shared with the employees to discharge your duty of care. If you consider it needs to be shared in order to comply with your duty of care, then you should make a note of your reasoning in case needed for any future reference.
An increasing amount of individuals will be working from home and data protection does not prevent this. However, organisations will still need to consider security measures for homeworking and the ICO has stressed that organisations should apply the same level of standards as in ordinary circumstances.
And finally, yes, healthcare organisations can contact individuals in relation to Coronavirus as this does not constitute direct marketing and data protection legislation does not stop this.
The ICO guidance as of 16th March 2020 can be reviewed in full here. (link: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/covid-19-general-data-protection-advice-for-data-controllers/)