News & Insights

Data Protection in the Time of COVID-19

Cathrine Ripley considers the regulatory approach being adopted by the European Data Protection Board and Information Commissioners Office following the COVID-19 pandemic.

In response to the COVID-19 outbreak the European Data Protection Board (“EDPB”) has published a statement providing guidance on the interpretation of data processing regulations. As COVID-19 is a public health emergency and it is in the interests of the public to use modern techniques to prevent its spread, it is important that data protection rules (such as the GDPR) do not hinder measures taken in the fight against the pandemic. At the same time, however, it is more important than ever that personal data is processed lawfully and the EDPB’s statement sets out a number of considerations which should be taken into account at this time:

  1. The GDPR allows the processing of personal data by public health authorities and employers in the context of an epidemic if required by national legislation irrespective of consent.
  2. Employers may process personal data when it is necessary to protect the public interest, such as controlling the spread of disease in the workplace. Certain categories of personal data, such as health data, which are usually restricted may be processed under national law to protect the vital interests of the individual during the pandemic.
  3. Legislative measures may be introduced to allow the processing of telecom data, such as location data, if it is considered a necessary and proportionate measure for the protection of public safety. The law is clear that, if possible, this data should be anonymised and that if measures allowing the processing of non-anonymised location data are introduced, adequate safeguards will need to be implemented.

The statement emphasizes that the core principles of data processing must continue to be respected, in particular personal data should only be processed for specified and explicit purposes and individuals should be provided with easily accessible information on the processing activities which are undertaken and the periods which data is stored for. Data protection and confidentiality polices should be followed to protect against the unlawful disclosure of information, and any decisions made with a view to manage the COVID-19 pandemic should be well documented.

Following EDPB statement the Information Commissioners Office (ICO) published guidance on the regulatory approach it will be adopting during the pandemic. In recognition of its duty to support organisations providing healthcare and other frontline services to the public during the crisis, the ICO pledges to fast track advice and guidance which will help these organisation deal with and recover from the crisis, ensuring that this advice considers the potential economic impacts.

The ICO plays an active role in helping the public understand their information rights but also in informing them that information requests are likely to take longer to comply with during the pandemic.

When considering complaints during this period the ICO has considered the impacts of the pandemic on the relevant organisation, for example if the organisation has been required to dedicate a large amount resources to the front line, or if it is in the process of recovering financially from the crisis, delays in complying with requests are to be expected.

The ICO has an important role to play in balancing the benefit to the public of taking regulatory action against the detrimental effect of doing so and has provided some guidance on how this balance is struck:

  1. Personal data breaches should still be reported within 72 hours of the organisation becoming aware of them, these reports will be assessed empathetically.
  2. A strong regulatory approach will be taken against any organisation breaching data protection rules to take advantage of the crisis.
  3. Organisations may be afforded longer to attempt to rectify a breach.
  4. Formal regulatory action in connection with outstanding information request backlogs will be suspended.
  5. Before issuing fines, their economic impact and affordability will be assessed and the level of fines may be reduced.
  6. The ICO may refrain from enforcement against organisations which fail to pay their data protection fee if this is due to economic circumstances caused by the pandemic and a payment timescale can be agreed.
  7. As the crisis is likely to affect an organisations’ ability to comply with aspects of freedom of information laws, the ICO will investigate complaints pragmatically taking into account the resources of the organisation in question.
  8. The ICO understands that in extreme circumstances some public authorities may have to temporarily reduce or suspend access to information. In these circumstances it is important that the authority makes information regarding the suspensions available to the public.

It is clear that, in light of the global crisis caused by the pandemic, a flexible and pragmatic approach is being adopted regarding the interpretation of data protection laws.

The most up-to-date ICO guidance on its regulatory approach was published in September 2020, and is available here:

Data protection is obviously only one of the many challenges presented by the pandemic to businesses and other organisations. If you have any questions about the contents of this article or data protection more generally, please contact Cathrine Ripley at [email protected].