The ICO has recently released guidance on what you need to know about your data protection obligations in relation to the unprecedented challenges we are all facing during the Covid-19 pandemic.

Compliance with GDPR

The ICO understands that resources may need to be diverted away from compliance and information governance work and the ICO will not penalise organisations that need to prioritise areas or adapt their usual approach during this extraordinary period. The ICO will not be extending statutory timescales but they have confirmed that they will inform data subjects through their own communications channels that they may experience delays when making information rights requests during the pandemic.  Where responding to Subject Access requests is hampered by the pandemic we would recommend that records are kept to document why, where practical.

Public Health issues

For those in the health sector, the ICO has confirmed that GDPR and the laws relating to electronic communications do not stop the Government, the NHS or other health professionals from sending public health messages, whether by phone, text or email as these emails will not be classed as direct marketing.

The ICO acknowledges that those working in public health may need to collect and share additional personal data in responding to the crisis and that it may be necessary to utilise new technologies to facilitate “speedy consultation and diagnosis”.

Please see the ICO’s guidance for more information about data sharing and collecting health information.

NHSX Guidance on Information Governance

NHSX have also released their own guidance which confirms that the ICO has “assured” NHSX that they cannot envisage taking action against a health professional in relation to the use of data where they are “clearly trying to deliver care”.

It is of interest that NHSX also consider that using mobile messaging to communicate with colleagues and patients is appropriate.  This goes as far as to approve the use of Whatsapp where there is “no practical alternative”.  The guidance however reminds all Data Controllers that consideration must still be given to the type of information and to whom it is being shared, alongside ensuring that only the minimum information to achieve the aim is shared.  The guidance also covers home working and videoconferencing advice.

The NHSX guidance is here.

For further advice please get in touch with one of our information law experts:


For further support and advice relating to the impact of COVID-19, please view our COVID-19 Advisory Service page.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.