Personal Data in a Pandemic
June 30, 2020
Get in touch
For further advice please contact us for a consultation.
-
+44 (0)3330 143 401
info@gunnercooke.com
Wussten Sie, dass 10.000 Stunden „entwickelter Praxis“ als Marke gilt, ab der man ein Experte oder eine Expertin ist? Gute Nachrichten: Jeder gunnercooke Partner und jede gunnercooke Partnerin hat schon mehr als 10.000 Stunden anwaltlich gearbeitet. Sie haben hier also nur mit ausgewiesenen Rechts-Expert*innen zu tun.
June 30, 2020
For further advice please contact us for a consultation.
The recent shift to remote working and other new or unfamiliar delivery models has meant that managers have faced fresh concerns about how to stay compliant with personal data protection laws. They have had to think about this both in terms of processing their normal data and in terms of making decisions about whether to arrange for testing/screening staff who need to work on site. Subjecting staff to medical tests is not exactly “business as usual”. Fortunately, the Information Commissioner’s Office (ICO) moved quickly to announce their approach to regulation during the pandemic, thereby removing much of the uncertainty. In early April ICO stated –
By any measure this statement was a welcome relief to data controllers as it gave them the comfort of knowing that the regulator was taking a balanced and sensible approach to enforcement. It’s clear that the ICO is applying a lighter touch.
That is not to say that all bets are off, however. All the usual legal principles apply and controllers must continue to satisfy themselves that they always have a clear, legitimate reason for collecting new personal data, especially when that data is especially sensitive information about the health of individuals. That type of data needs not one, but two-step justification under GDPR.
The decision to collect health data, including the legal justification being relied on, also needs to be properly recorded and readily available for audit purposes.
Then all the usual rules relating to data minimisation (only collecting the minimum personal data needed for the task), accuracy, confidentiality, retention periods and security apply.
Getting this right may mean a brief review of your procedures, notices, policies and other data protection documents is in order.
Tim Heywood, Partner, gunnercooke llp
Tim has a specialist data protection and cyber law practice.