The Information Commissioner’s Office has tweaked its approach to the changing data environment that the COVID-19 pandemic is causing, as the data watchdog warns that it has narrowed its focus on the data risks created by efforts to tackle the COVID-19 outbreak.
Information Commissioner Elizabeth Denham commented that: “My office’s role is to be both an enabler and a protector. We must reflect the requirements and reality of those we regulate, and engage on how data protection can enable innovation that can respond to the pandemic. And the onus is on us to provide that expertise and input at pace.”
When it comes to a company’s employees and their health the data authorities stress that just because you are concerned about workers health doesn’t mean you should start collecting unnecessarily amounts of health data from them.
The ICO has warned that: “We are identifying and taking action against those seeking to use or obtain personal data unlawfully or inappropriately during COVID-19 so that the public and businesses feel confident that the ICO is protecting them at this time when they may be especially vulnerable to financial or other loss.”
The ICO informed organisation at the start of the pandemic that it would be understanding of the limitations that smaller firms were under and that they may not be able to process data requests on time.
The ICO also said that it will not “penalise” organisations that are unable to handle information or data requests in a timely manner — welcome news as many firms’ ability to process and action GDPR requests will be severely limited as resources are diverted to ensuring newly remote workforces are bedding in to working from home.
Under GDPR organisations have one month from receiving a data request to respond. In special circumstance a two-month extension can be granted. If data compliance officers are working from home they may be unable to access any records that are not stored digitally in accessible systems, thus hampering their ability to respond.
The ICO stated: “We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
In comments directed at those querying the actions of public health organisations, it added: “Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health… Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing.”