+44 (0)20 7612 9612
March 23, 2020
The ICO acknowledges that organisations might need to share information quickly or adapt the way they work during the pandemic, and encourages organisations to be proportionate.
The ICO understands that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. Accordingly, it will not penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period. Further, it will ensure people know that there may be delays when making information rights requests during the pandemic.
Professional healthcare organisations are not prevented by data protection and electronic communication laws from sending public health messages to people, either by phone, text or email as these messages are not direct marketing.
As for homeworking, staff can use their own device or communications equipment. Data protection law does not prevent that, but organisations will need to consider the same kinds of security measures for homeworking that they would use in normal circumstances.
Organisations can tell staff if a colleague may have potentially contracted COVID-19, but the individual does not need to be named and organisations should not provide more information than necessary.
As for gathering health data about employees or from visitors to an organisation, the ICO notes that there is an obligation to protect employees’ health, but that does not necessarily mean that organisations need to gather lots of information about them. It is reasonable to ask people whether they have visited a particular country, or are experiencing COVID-19 symptoms. Alternatively, ask visitors to consider government advice before they decide to visit. This approach should help minimise the information organisations need to collect. In any event, the advice is not to collect more data than needed and ensure that any information collected is treated with the appropriate safeguards.
The health data of employees can be shared to authorities for public health purposes if necessary. It is unlikely that organisations will need to do this, but if it is necessary, data protection law will not stop an organisation from doing so. To access the advice note, click here.