The Information Commissioner’s Office has vowed to cut firms some slack over the enforcement of data protection rules during the coronavirus outbreak, and in particular will support delays in data subject access requests (DSARs) while also allowing firms to collect sensitive health data on their staff.
In a blog post, the regulator said that it will not penalise organisations that it knows need to prioritise other areas or adapt their usual approach to DSARs during this “extraordinary period”.
While conceding that it cannot extend statutory timescales, the ICO said it will tell people through its own “communications channels” that they may experience understandable delays when making information rights requests during the pandemic.
With reports that companies are growing increasingly concerned about their employees’ privacy rights, the regulator has also issued advice over the release of sensitive health data, although has urged firms to take a measured approach.
Confirming that firms can inform staff if a colleague has potentially contracted Covid-19, the ICO states: “You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.
“You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.
On visitors to offices, the regulator states: “It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing Covid-19 symptoms. You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.
“If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.”
The regulator added: “The ICO recognises the unprecedented challenges we are all facing during the coronavirus (Covid-19) pandemic.
“Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.
“The safety and security of the public remains our primary concern. The ICO and our colleagues in the public sector have this at the forefront of our minds at this time. We are here to help our colleagues on the frontline. We can offer advice to make sure the law around data protection and direct marketing is clear.
“We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.”
Related stories
KFC finally admits ditching ‘Finger Lickin’ Good’ activity
‘Finger Lickin’ Bad’: KFC ad campaign faces the chop
Call centre sector braced for Covid-19 double whammy
‘Alarmist’ and ‘exploitative’ coronavirus mask ad axed
Omnicom bans Far East travel as coronavirus spreads
Mail blames the ICO for blocking coronavirus warnings
KFC ‘Finger Lickin’ Good’: Oh Mother, not this time…