19/03/2020
The ICO has recently released guidance on what you need to know about your data protection obligations in relation to the unprecedented challenges we are all facing during the Covid-19 pandemic.
Compliance with GDPR
The ICO understands that resources may need to be diverted away from compliance and information governance work and the ICO will not penalise organisations that need to prioritise areas or adapt their usual approach during this extraordinary period. The ICO will not be extending statutory timescales but they have confirmed that they will inform data subjects through their own communications channels that they may experience delays when making information rights requests during the pandemic. Where responding to Subject Access requests is hampered by the pandemic we would recommend that records are kept to document why, where practical.
Public Health issues
For those in the health sector, the ICO has confirmed that GDPR and the laws relating to electronic communications do not stop the Government, the NHS or other health professionals from sending public health messages, whether by phone, text or email as these emails will not be classed as direct marketing.
The ICO acknowledges that those working in public health may need to collect and share additional personal data in responding to the crisis and that it may be necessary to utilise new technologies to facilitate “speedy consultation and diagnosis”.
Please see the ICO’s guidance for more information about data sharing and collecting health information.
NHSX Guidance on Information Governance
NHSX have also released their own guidance which confirms that the ICO has “assured” NHSX that they cannot envisage taking action against a health professional in relation to the use of data where they are “clearly trying to deliver care”.
It is of interest that NHSX also consider that using mobile messaging to communicate with colleagues and patients is appropriate. This goes as far as to approve the use of Whatsapp where there is “no practical alternative”. The guidance however reminds all Data Controllers that consideration must still be given to the type of information and to whom it is being shared, alongside ensuring that only the minimum information to achieve the aim is shared. The guidance also covers home working and videoconferencing advice.
For further advice please get in touch with one of our information law experts:
For further support and advice relating to the impact of COVID-19, please view our COVID-19 Advisory Service page.