The ICO describes itself as a reasonable, pragmatic and supportive regulator and has emphasised that it does not operate in isolation from matters of serious public concern. Set out below is a summary of recent guidance from the ICO relating to the COVID-19 pandemic.
Preventing the spread of disease
In carrying out its functions regarding compliance with data protection during the pandemic, the ICO will take into account the compelling public interest in preventing the spread of disease. Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop such bodies from using the latest technology to facilitate safe and speedy consultations and diagnoses. In addition, public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
For data controllers generally here
For members of the public here
Advice for community groups
As individuals and communities seek to find ways of working together to provide support to the most vulnerable in their communities, new collaborations are taking place and community groups being formed to assist existing charities and other support networks. The ICO has published a short blog for community groups, setting out guidelines as to how to store and share sensitive personal information and stay within the law. The key pointers are to:
- Keep it clear: be open and honest about what you are doing with their personal information:
- Keep sharing: it might be more harmful not
to share data
- Keep it lawful: on what legal basis are you relying when collecting and sharing data?
- Keep it secure: ensure that data is kept securely, whether on-line or in hard copy
- Keep it to a minimum: only use and keep what you need; and
- Keep a record: keep records, in as much detail as possible, of all decisions relating to the use of personal data.
Crucially, the blog reminds readers, data protection rules will not stop you from helping those in need however a recent breach by a UK housing association underlines the importance of ensuring that people understand the rules and know how to do things properly. The housing association, aiming to provide guidance on how to communicate with and receive information from the association during the COVID-19 outbreak, accidentally sent out an email containing contact and personal details, including ethnicity and sexual orientation, about a significant portion of its residents. This underlines the importance of ensuring volunteers receive appropriate training. Advice for community groups is available here.
Advice for employers and homeworking
The ICO has also shared advice from the National Cyber Security Centre to assist organisations manage the challenges associated with increased numbers of staff working at home. The advice is intended to both reduce the risk of cyber-attacks on employees’ laptops, mobiles and tablets and to increase the likelihood of staff members spotting and avoiding phishing scams. The guidance is available here.
Data protection and COVID-19 information hub
The ICO has established an information hub to assist organisations and individuals with data protection queries and to provide relevant guidance during the pandemic. The hub can be found here.