The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, they will take into account the compelling public interest in the current health emergency.

The need for public bodies and health practitioners to be able to communicate directly with people when dealing with this type of health emergency has never been greater.

Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.

The safety and security of the public remains ICO's primary concern. The ICO and their colleagues in the public sector have this at the forefront of their minds at this time. They are there to help colleagues on the frontline. They can offer advice to make sure the law around data protection and direct marketing is clear. Information is available on their website at www.ico.org.uk/ or you can call their  helpline on 0303 123 1113.

FAQs:

During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. ICO understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. They won’t penalise organisations that they know need to prioritise other areas or adapt their usual approach during this extraordinary period.

They can’t extend statutory timescales, but we will tell people through their own communications channels that they may experience understandable delays when making information rights requests during the pandemic.

As a healthcare organisation, can we contact individuals in relation to COVID-19 without having prior consent?
Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop you using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.

More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

Can I tell my staff that a colleague may have potentially contracted COVID-19?
Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.

Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?
You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.

It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.

You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.

If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Can I share employees’ health information to authorities for public health purposes?
Yes. It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won’t stop you from doing so.

Useful links:

Further guidance regarding the Coronavirus can be found via:

NHS Coronavirus overview

ACAS Coronavirus advice for employers and employees

https://www.gov.uk/government/publications/support-for-those-affected-by-covid-19/support-for-those-affected-by-covid-19

https://www.gov.uk/government/publications/guidance-to-employers-and-businesses-about-covid-19/guidance-for-employers-and-businesses-on-covid-19

Welsh Government

Government’s Corona Virus Action Plan