Data Protection and Coronavirus: ICO Publishes Statement

Together we are Forbes


17 March, 2020

Bethany Paliga
Senior Associate

The ICO has today published guidance in an attempt to reassure organisations, particularly those working in the public sector, that it will demonstrate flexibility and pragmatism during this extraordinary period.

In the guidance (available to view here) the ICO sets out its position on a number of issues that may be a cause for concern for many organisations at this time. This may include:

Can we tell staff that a colleague/customer has potentially contracted COVID-19?

The answer in short is yes. This information will be classed as special category data under the GDPR and there are a number of lawful bases to process this information lawfully including 'processing is necessary for the protection of vital interests' and 'processing is necessary for compliance with legal obligations in the field of employment law, social protection and social security'. Advice from the ICO on this point states that "you have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn't prevent you doing this."

What security measures should we have in place for homeworking?

Data protection law does not prevent an increase in home working or prevent staff from working on their own devices where necessary. Your existing data protection compliance will continue to be applicable and staff will need to follow your data protection policies and procedures.

Can we share information about employees/customers with public authorities?

In the event your organisation is called upon to share information with public authorities in relation to COVID-19, you will be permitted to do so under data protection law.

Will we be penalised if our data protection compliance does not meet our usual standards?

The ICO has confirmed that it understands that resources may be diverted away from usual compliance or information governance work and it won't penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period. There is the potential to extend the statutory 1 month timescale for handling data subject rights requests to up to 3 months and we would suggest any existing requests are extended if you do not have the resources to deal with

This guidance should provide some comfort to organisations to reassure them that the ICO will act reasonable and demonstrate flexibility at this time. If you require any data protection support at this time, please don't hesitate to contact Bethany Paliga by email, or call 01254 222347.

Learn more about our Governance, Procurement & Information department here

Coronavirus Crisis Planning

Protecting your assets

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: