ICO issues data guidance surrounding coronavirus

The ICO has issued guidance for controllers on the ongoing coronavirus (COVID-19) pandemic. The guidance seeks to provide clarity for controllers on how to tackle the ongoing issues in a lawful manner.

Health data

Health data is ‘special category’ data. Controllers therefore need to consider their additional lawful bases for processing this data.

Organisations have a duty to protect the health and safety of their employees. They need to identify employees who are higher risk (due to underlying health conditions or having recently travelled to and from high risk countries). It is therefore important for employers to know if individuals have been to these countries.

The following personal data principles are most relevant:

• Data must be processed lawfully, fairly and transparently
• Data can only be processed for specific purposes
• Controllers should minimise data processed for the specific activities
• Data must be safeguarded with adequate security measures
• Data should not be kept for longer than needed

The government’s current guidance provides a number of health conditions deemed higher risk. These include individuals who:

• Have diabetes, serious asthma or a heart condition
• Are receiving treatment for cancer
• Are pregnant
• Receive flu jabs (from doctors as they are deemed higher risk)

ICO Guidance

The ICO has issued guidance on frequently asked questions which states:

• General compliance: The ICO recognises that organisations’ resources might be stretched and diverted at the moment. It says it won’t necessarily take regulatory action where an organisation needs to prioritise other areas or adapt its usual approach
• Healthcare organisations: The ICO recognise that public bodies and health organisations can send public health information to individuals - this is not direct marketing. It has produced a blog for these organisations to give more detail
• Remote working: While remote working is likely to increase during the pandemic, organisations need to use the same homeworking data considerations as they would in normal circumstances
  
• Employees who contract COVID-19: While staff should be updated on whether someone has contracted COVID-19, only limited information should be provided (for example, names will rarely be justified)
• Collecting health data: While some data can be collected to protect employees’ health (for example if they have visited a high-risk country, or are experiencing COVID-19 symptoms), any data collected should still be limited. For visitors, they could refer the visitors to government advice. If needing specific health data on visitors, organisations must not collect more than necessary and must safeguard the data
• Public health processing: While it is unlikely organisations will need to share information with authorities about specific individuals, if it was necessary then they could do so

Comment

The guidance is welcome. It helps balance the (sometimes competing) interests of protecting employees’ health and safety and data processing obligations.

The guidance reflects that the ICO will continue to take a pragmatic stance. As it stated in its blog to health and care practitioners: 

“The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.”

When processing health data, certain pragmatic steps can assist, for example:

• If identifying high-risk employees (or those who test positive for COVID-19, or experience symptoms), do not share this information received widely
• Store any volunteered information from employees only for as long as needed
• If someone volunteers information on being high-risk, outline who such information might be shared with (to ensure data is processed transparently)
• Anonymise any internal communications about individuals and their health data where possible
• Consider information needed from visitors (for example a questionnaire on whether they have any symptoms and if they have visited high-risk countries).

While the government’s position could change (for example on self-isolation and steps the country should take as a whole), the data principles above can apply more broadly.