The recent shift to remote working and other new or unfamiliar delivery models has meant that managers have faced fresh concerns about how to stay compliant with personal data protection laws. They have had to think about this both in terms of processing their normal data and in terms of making decisions about whether to arrange for testing/screening staff who need to work on site. Subjecting staff to medical tests is not exactly “business as usual”. Fortunately, the Information Commissioner’s Office (ICO) moved quickly to announce their approach to regulation during the pandemic, thereby removing much of the uncertainty. In early April ICO stated –
- We will identify and fast track advice, guidance or tools that public authorities and businesses tell us would help them deal with, or recover from, the crisis.
- We will review the economic and resource impact of any new guidance. We will delay any specific guidance that could impose a burden that diverts staff from frontline duties, except where it is needed to address a high risk to the public.
- We will provide practical support to the public as to how to understand and exercise their information rights during this crisis. This could mean that individuals are advised to wait longer than usual and ‘bear with’ organisations.
- When handling the public’s complaints about organisations, our approach will take into account the impact of the crisis. This may mean we resolve the complaint without contacting an organisation, for example if it is focussing its resources on the coronavirus frontline, or that we give it longer than usual to respond or to rectify any breaches associated with delay if it is recovering its service and gradually improving timescales.
- We will look to develop further regulatory measures that are ready to use at the end of the crisis. These would support economic growth and recovery including advice services, sandboxes, codes and international transfer mechanisms to test flexibility in safe data use.
By any measure this statement was a welcome relief to data controllers as it gave them the comfort of knowing that the regulator was taking a balanced and sensible approach to enforcement. It’s clear that the ICO is applying a lighter touch.
That is not to say that all bets are off, however. All the usual legal principles apply and controllers must continue to satisfy themselves that they always have a clear, legitimate reason for collecting new personal data, especially when that data is especially sensitive information about the health of individuals. That type of data needs not one, but two-step justification under GDPR.
The decision to collect health data, including the legal justification being relied on, also needs to be properly recorded and readily available for audit purposes.
Then all the usual rules relating to data minimisation (only collecting the minimum personal data needed for the task), accuracy, confidentiality, retention periods and security apply.
Getting this right may mean a brief review of your procedures, notices, policies and other data protection documents is in order.
Tim Heywood, Partner, gunnercooke llp
Tim has a specialist data protection and cyber law practice.