View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
March 17, 2020

ICO Vows “Reasonable and Pragmatic” Flexibility on Data Protection, During Outbreak

"Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health"

By CBR Staff Writer

The UK’s data watchdog has acknowledged that COVID-19 is causing massive disruption to the way organisations are operating, and suggested that it will take a soft-touch approach towards organisations unable to meet statutory data protection requirements during the outbreak.

The ICO also said that it will not “penalise” organisations that are unable to handle information or data requests in a timely manner — welcome news as many firms’ ability to process and action GDPR requests will be severely limited as resources are diverted to ensuring newly remote workforces are bedding in to working from home.

Under GDPR organisations have one month from receiving a data request to respond. In special circumstance a two-month extension can be granted. If data compliance officers are working from home they may be unable to access any records that are not stored digitally in accessible systems, thus hampering their ability to respond.

The ICO stated: “We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”

In comments directed at those querying the actions of public health organisations, it added: “Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health… Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing.”

Looking after the Workforce

The ICO is also informing organisations that if a member of their staff is suspected of contracting COVID-19 then they are fully able to pass this information onto that person’s colleagues. Employers have an obligation and a duty of care to the greater workforce in situations like this. However, disclosing the person’s identity should be avoided if possible to help protect that persons personal data.

The Irish data authority, meanwhile, is advising that “disclosure of this information may be required by the public health authorities in order to carry out their functions.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

When it comes to a company’s employees and their health the data authorities stress that just because you are concerned about workers health doesn’t mean you should start collecting unnecessarily amounts of health data from them.

Yet, it is “reasonable” to ask employees and visitors if they have visited a country that is experiencing the worst of the COVID-19 pandemic.

ICO stated on the pandemic that it is a “reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.”

See Also:  Google Fined, Clashes with Data Protection Authority over Right to Be Forgotten

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.