Last updated 22 April 2020.
The present crisis has presented organisations of all kinds with a range of practical difficulties and competing rights and interests. The very nature of the emergency means that dealing with it inevitably brings into question the handling of personal data about employees and contractors - data which might be highly sensitive. All this can make compliance with an already complex area of the law even more of a burden - at a time when resources are stretched and attention prioritised elsewhere in the organisation. This article answers questions on the most frequently-raised data protection issues relating to the current pandemic, and provide practical guidance for organisations. Data protection law (which in the UK effectively means The Data Protection Act 2018 and the EU General Data Protection Regulation or GDPR) applies to the “processing” of “personal data”.
- “Processing” means any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure or otherwise making available, restriction, erasure or destruction.
It therefore covers anything that can be done with or to data - even just hanging on to it.
- “Personal Data” means any information relating to an identified or identifiable individual - i.e. an individual who can be identified, directly or indirectly, in particular by reference to some identifier(e.g. a name, an identification number, or location data), or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
There are some limited exceptions, but in most commercial or other business or professional situations where personal data is collected, stored or handled, data protection laws will apply. Any individual aggrieved about how their personal data is being processed can take the matter to the courts, but in most cases the law is enforced by the UK's “supervisory authority” (regulator) -The Information Commissioner's Office or ICO.
What is the Regulator saying?
On 12 March, the UK's data regulator the ICO issued a release saying it is a “reasonable and pragmatic regulator” which “does not operate in isolation from matters of serious public concern”. The ICO said it will “take into account the compelling public interest in the current health emergency”. The ICO issued another statement on 15 April setting out its adjusted regulatory approach during the pandemic, in which it said it will:
- conduct investigations knowing there is a public health emergency, seek to understand the individual challenges faced by organisations, and take into account the particular impact of the crisis on the organisation;
- take a strong line against anyone breaching data protection laws to take advantage of the crisis; and
- take into account the potential impact of reduced resources on organisations' ability to respond to subject access requests.
The upshot seems to be that as long as organisations are doing what they can to comply, the ICO will take the crisis into account when looking into any non-compliance. Organisations would however be well advised not to read too much into this - there will be no “free passes” for any organisation which does not take its data protection obligations seriously even while labouring to manage the impact of the Coronavirus. It should be noted that the ICO's “adjusted approach” still makes it clear that when deciding whether to take formal action, the ICO will look at whether
- any difficulties claimed by an organisation do in fact arise from the crisis; and
- if the organisation has plans to put things right after the crisis.
The onus of proof is - as always - on the organisation not the ICO.On 19 March, the European Data Protection Board (EDPB) issued a release stating that “even in these exceptional times”, organisations must ensure the protection of individuals' personal data, and “any measure taken... must respect the general principles of law”. Even though the UK has now left the EU, the opinions of the EDPB are likely to remain influential with the ICO. The ICO has said it understands that organisations may have to prioritise, and that this may involve diverting resources from normal compliance or information governance activities. However, the ICO has also said it cannot extend statutory timescales (e.g. for responding to access requests or reporting a data breach), although it will tell people they may experience “understandable delays when making information rights requests during the pandemic”. In its statement of 15 April, the ICO recognised the impact that the pandemic may have but again stressed that organisations should continue to report data breaches without undue delay and within 72 hours of becoming aware.(The same statement indicated that the ICO might not enforce payment of data protection fees where an organisation is unable to pay for economic reasons linked to Coronavirus.)The onus is however always on organisations to satisfy the ICO that they have met their legal obligations, that a coronavirus-related impact has been suffered and if so the nature / extent of that impact, so we would advise organisations to do as much as they reasonably can to comply with their obligations and - where they fall short - to be ready to show documented proof as to why this was the case and the efforts they made to avoid it.
Managing Compliance during the Pandemic
Virus or no virus, an organisation's data compliance requirements remain as they were before the outbreak - for instance:
- responding to access and other requests by individuals exercising their data rights;
- making sure that personal data is stored and processed securely; and
- complying with the data processing principles.
However, radical changes to operating conditions and work practices require careful thought to ensure the organisation remains within the law. One of the greatest challenges is maintaining data protection compliance when employees are working from home for extended periods, processing the organisation's data through their home communications links and possibly on their own personal devices.
- For more information on maintaining data security and compliance when your personnel are working from home, see our article.
Although the UK data regulator (the ICO) has stated that it will not penalise organisations for prioritising other activities, or adapting their usual approach during the current emergency, it has also made it clear that the statutory deadlines for responding to requests regarding personal data are unaffected by Coronavirus. The ICO commits only to taking a reasonable and pragmatic approach to enforcement, and to informing complainants that delays are to be expected in the current circumstances. It would be wise not to read too much into this. Organisations are expected to comply with the law - and if they cannot, the onus will be on the organisation to produce documented evidence of why it could not, and what efforts it made to comply. The ICO is unlikely to offer any concessions to an organisation which is unable to do so. Organisations unable to respond to personal data requests due to Coronavirus (e.g. because they are having to allocate temporarily reduced resources to activities other than data compliance) should nevertheless try to:
- Acknowledge requests as promptly as possible;
- Provide data subjects with whatever accurate and transparent information it can about:- any delays in dealing with data requests- the reasons for any such delays, and- their likely duration.
And
- Comply with requests as fully as they can (a partial response will at least be evidence that you are doing what you can).
Information about delays should ideally be updated at regular intervals.
Data Relating to the Health of Employees
Yes - in the same way that you record data about any other health problem affecting an employee's attendance/ability to perform their duties. The organisation must however consider the matter carefully before doing anything more than this, because handling such data carries a range of legal obligations and possible sanctions for non-compliance - even during the current emergency. Any collection or other processing of personal data about employees will be subject to the processing principles laid down by the GDPR, in particular:
- Purpose Limitation - data must only be collected for specified, explicit and legitimate purposes, and not then used for any incompatible purpose.
- Data Minimisation - any data collected must be adequate, relevant and limited to what is necessary to achieve the purpose(s) for which the data are processed.
- Storage Limitation - the data must not be kept in a form which allows the individual to be identified for any longer than necessary to achieve the processing purpose(s).
The organisation must also be able to show it has a “lawful ground” for collecting/using the data. However - for the purposes of data protection law, any information about someone's health is “special category” (what used to be called “sensitive”) data, and additional restrictions and procedures apply to its collection, storage and/or use. Processing of special category data is only allowed if one of the grounds allowed for by Art. 9 of the GDPR applies. The grounds most likely to apply in a normal business situation are that:
- the individual has consented to the specific processing of their personal data (but see the response to Qu. 8 below) or
- the processing is necessary:(1) to meet obligations/exercise rights of the organisation or the employee in the field of employment and social security and social protection law; or(2) to protect the vital interests of the data subject or of another individual where they are incapable of giving consent; or(3) for the establishment, exercise or defence of legal claims;(4) for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, or the provision of health or social care;(5) for reasons of substantial public interest which are based in law, proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the individual;
(Additional grounds cover processing by not-for-profit bodies or public health.)The onus of proving one of these grounds lies - as always - on the organisation. Grounds (1) and (4) look useful in relation to the Coronavirus emergency, but any organisation wanting to rely on either of those grounds must also have in place a written policy which sets out:
- Which condition(s) the organisation is relying on for processing the special category data.
- The organisation's procedures for complying with the legal principles governing the processing of personal data.
- The organisation's policies on the retention and erasure of the data - including an indication of how long the data is likely to be retained.
The policy must be retained for (at least) as long as the processing continues, kept under review and produced to the ICO on request. For detail on how to meet your data protection obligations in the context of workplace testing, see our article on Coronavirus and Workplace Testing: How do we comply with Data Protection? There are several potential problems with relying on employee consent:
(1) Any consent - if it is to be valid under data protection law - has to be:
- requested specifically and in a manner clearly separated from any other matter, in an intelligible and easily accessible form and using clear and plain language; and
- given by a clear affirmative act showing a freely given, specific, informed and unambiguous indication of the employee's agreement to the intended processing of their personal data.
The onus of proving a valid consent was obtained lies on the organisation, so any consent should be documented in writing or by some electronic means.
(2) The UK data regulator the ICO has said that any consent given by an employee will normally be regarded as ineffective, because of the unequal balance of power in the employer-employee relationship.(3) Where an individual has consented to the processing of his/her data, he/she can withdraw that consent at any time and without giving a reason. If they do so, the organisation will have to stop processing that data (which includes erasing it form its records/ systems). Not always an easy task - especially when key resources are over-stretched.[ela_accordion][tela_accordion title="If we think one of our people might have contracted Covid-19, can we tell other members of staff?"]The latest guidance from the ICO confirms that you can keep your personnel informed about Coronavirus cases within the organisation - provided you go about it in the right way. In practice, this means following the processing principles laid down in the GDPR for handling “special category” (sensitive) data, so:
- don't identify the individual(s) unless you really have to;
- only tell those other members of your staff who actually need to know (ask yourself whether people at Site A need to know about someone at Site B); and
- don't disclose any more information than you really need to in order to meet the objective (safeguarding other members of staff)
- document your decision and your reasons for it.
As with any other personal data:
- If you don't actually need to collect / use data about an identifiable individual - don't.
- If you do need to process such data:- Make sure you have a lawful basis for doing so.- Never gather more - or more detailed - information than is absolutely necessary.- Update the privacy information you give to your employees.- Make sure you comply with any other procedural requirements - eg policy document requirements.- Document your decisions and compliance measures, and keep that documentation safe and accessible.
If you would like to talk through the consequences for your business, please email us and one of our team will get in touch.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.