28 Apr 2020 - by Orrick, Herrington & Sutcliffe LLP

Data Protection Compliance During the COVID-19 Crisis

Changes to charity and social enterprise operations during lockdown periods will likely impact on your ability to comply with data protection regulations. The UK’s Information Commissioners Office (ICO) has indicated it will adopt a pragmatic approach in undertaking its regulatory duties. The following update provides some tips on measures that can be put in place to manage your organisation’s legal risks.

The General Data Protection Regulation (GDPR) requires organisations to comply with a number of statutory timeframes. For example, there is a one month deadline to comply with data subject rights requests and organisations have 72 hours to notify a regulator of a data breach. Given the current situation, organisations may be worried about complying with these deadlines. Additionally, organisations will be collecting more data on their employees and customers, partners or beneficiaries than normal, and they may not be entirely comfortable that they are doing this in a lawful manner. However, due to the exceptional circumstances of the COVID-19 pandemic some dispensation can be made.

The ICO has made it clear that, “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that”. This broad statement should provide organisations with a level of comfort that they are unlikely to face regulatory action for legitimate (if not strictly speaking lawful) uses of Personal Data (including Special Category Data) during this time. The GDPR makes a provision to process health data for reasons of substantial public interest (where authorised by law) or for the “vital interest” of a data subject. These conditions are normally difficult for organisations to rely on, but during this crisis they may be appropriate.

However, we recognise that during these times, due to staff illness or shortage and reduced timescales, data protection compliance may be at risk.

Regulatory Flexibility

The ICO is likely to provide organisations with significantly more leeway, including in situations where you:

  • are not complying with subject rights requests, within the one month time frame, due to a lack of staff
  • are not completing Data Protection Impact Assessments and Legitimate Impact Assessments for new processing activities (that are linked to COVID-19)
  • are not reporting data breaches within 72 hours (although this will significantly depend on the potential harm to individuals)
  • are not complying with ICO deadlines (either under their information notice powers, or for conducting remediation activities)
  • do not have Article 28 Data Processing Agreements in place, where organisations need new data processors urgently
  • are not updating Article 30 records in a timely fashion
  • are collecting additional health data (especially of visitors or guests)

Having said this, organisations still need to be proportionate in their collection and processing of data, and be able to justify the decisions they make. These statements do not give organisations carte blanche authority to ignore the GDPR. The ICO has made it clear that organisations should avoid, if possible, disclosing the names of any individuals affected by the virus or collecting excessive health data on employees.

Practical Steps

Ensuring Personal Data is processed lawfully is unlikely to be any organisation’s main focus during this crisis, but there are a number of simple steps you can take to ensure that you can justify your organisation’s actions later down the line. For example:

  • keep employees, visitors, customers and clients informed of what data you are collecting and who they can contact about it. A simple email or bulletin with a list of what data you are collecting and an email contact, although not perfect, will help
  • if you have a task force or crisis committee, ensure that they review any proposed collection techniques. If possible, the Data Protection Officer should be a member of these committees
  • continue to apply security controls when sharing data (e.g., encryption and pseudonymisation techniques)
  • consider the rights and freedoms of individuals; the use of additional tracking and/or monitoring technologies on your employees is unlikely to be justified purely because of COVID-19
  • limit access to and use of the additional data you collect. Health data collected specifically for COVID-19 should not be entered onto standard human resources or customer relationship management platforms without strict controls in place
  • draft telephone scripts or template emails that explain to individuals that their requests may take longer to respond to
  • ensure any disclosures, announcements or bulletins go through an appropriate approval channel and, where possible, unique identifiers such as names have been removed
  • ensure you inform ICO in advance if you are unable to meet regulatory deadlines

It is particularly important to note that any flexibility offered by the regulators during this crisis will quickly come to an end when we return to business as usual. Organisations must review and delete this additional data as soon as it is no longer relevant. The ICO and other international regulators will have little sympathy for organisations that retain this data and will be particularly mindful of anyone trying to exploit this data for commercial gain.

During this time, it is about demonstrating that you are considering the potential impact of your actions and having some confidence that you can justify these actions in six months’ time.

Information in this update has been provided by A4ID’s Legal Partner Orrick, Herrington & Sutcliffe LLP and does not constitute legal advice. If you require specific legal advice arising from the matters outlined in this update please contact the Pro Bono Legal Services Team at probono@a4id.org.

Menu Title