17 March, 2020
The ICO has today published guidance in an attempt to reassure organisations, particularly those working in the public sector, that it will demonstrate flexibility and pragmatism during this extraordinary period.
In the guidance (available to view here) the ICO sets out its position on a number of issues that may be a cause for concern for many organisations at this time. This may include:
The answer in short is yes. This information will be classed as special category data under the GDPR and there are a number of lawful bases to process this information lawfully including 'processing is necessary for the protection of vital interests' and 'processing is necessary for compliance with legal obligations in the field of employment law, social protection and social security'. Advice from the ICO on this point states that "you have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn't prevent you doing this."
Data protection law does not prevent an increase in home working or prevent staff from working on their own devices where necessary. Your existing data protection compliance will continue to be applicable and staff will need to follow your data protection policies and procedures.
In the event your organisation is called upon to share information with public authorities in relation to COVID-19, you will be permitted to do so under data protection law.
The ICO has confirmed that it understands that resources may be diverted away from usual compliance or information governance work and it won't penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period. There is the potential to extend the statutory 1 month timescale for handling data subject rights requests to up to 3 months and we would suggest any existing requests are extended if you do not have the resources to deal with
This guidance should provide some comfort to organisations to reassure them that the ICO will act reasonable and demonstrate flexibility at this time. If you require any data protection support at this time, please don't hesitate to contact Bethany Paliga by email, or call 01254 222347.