The ICO recognises the unprecedented challenges we are all facing during the Coronavirus (COVID-19) pandemic.
We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.
And the ICO is here to help – please see below for answers to the questions we’re being asked. If you need more help, call us on 0303 123 1113.
During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.
The ICO has published a document setting out our regulatory approach during the coronavirus pandemic.
As a healthcare organisation, can we contact individuals in relation to COVID-19 without having prior consent?
Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop you using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. More information for health and care professionals here.
As a healthcare professional, I’m concerned that by sharing people’s personal data so quickly I’m breaching data protection law.
During this unprecedented time our data protection laws can and do work flexibly to ensure everyone has the care they need to fight the pandemic and that organisations can be assured they are not doing anything wrong.
There are many routes available to share data, including using some of the exemptions in the Data Protection Act 2018 that allow data sharing where it supports necessary and proportionate action.
In addition, the Secretary of State has issued a series of COPI Notices (control of patient information), directing healthcare organisations to share confidential patient information for purposes relating to the Covid-19 pandemic (such as providing care services and managing risks to public health). These notices are designed to give assurance to healthcare organisations intending to share data in order to look after their patients or effectively allocate resources.
Frontline NHS healthcare professionals should rest assured that we’re working behind the scenes with the NHS at the highest levels to make sure data sharing during Covid-19 is done legally and quickly so you don’t have to worry.
I’m a clinician under pressure on the frontline, what if I make a mistake sharing personal data? I’m worried the ICO will take action against me or my Trust.
It would be very difficult to think of a scenario where the ICO would take action against healthcare workers clearly trying to act to save lives within the backdrop of a public health emergency. We have recently published details of how we will regulate during coronavirus.
What happens once the pandemic is over, is this a new way of working, do we continue to share data without question?
If you share data under the direction of the COPI notices you will only be able to do this during the active period of the notice. The notices apply during the period of the public health emergency and are currently set to be reviewed in September 2020.
However, once the pandemic is over and the COPI notices no longer apply you will need to be able to identify an alternative lawful basis for processing this information. If you can’t you will have to stop sharing and processing confidential patient information.
The ICO recognises that it may take some time for healthcare organisations to recover from the pandemic, and we will take a proportionate approach in looking at data sharing issues. Details on our regulatory approach during and after the pandemic have been published on our website. Data protection law is never a barrier to sharing data where it’s necessary and proportionate.
As a manager of a care home, can I tell a resident or their family if another resident (or member of staff) may have contracted COVID-19?
Yes, so long as you don’t disclose the identity of the individual, unless you need to under the specific circumstances. You have a duty to ensure the health and safety of your residents. Data protection doesn’t prevent you doing this.
More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.
Can I tell my staff that a colleague may have potentially contracted COVID-19?
Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.
Can I share employees’ health information to authorities for public health purposes?
Yes. It’s unlikely your organisation will have to share information with authorities about specific employees as monitoring will usually be undertaken by healthcare professionals. However, if it is necessary then data protection law will not stop you from doing so.
Employers (from the public or private sector) can generally rely on legitimate interest as their Article 6 lawful basis when processing the health data of employees for health and safety purposes. However you will also need an Article 9 condition for processing special category data.
If you need to share employee health data with the authorities during the COVID-19 crisis, then you may be able to rely on the public health condition in Article 9(2)(i) read with Schedule 1, paragraph 3 of the DPA18.
I have set up a community group in my neighbourhood to help vulnerable and self-isolating people. What are my data protection obligations?
Data protection won’t stop you from helping people, but there are certain things you need to take into account when handling people’s information. We have published a blog for community groups on what they need to know about data protection.
As a community group and not-for-profit organisation, you are not required to pay the ICO’s registration fee. However, it’s still important that you follow data protection guidance when handling people’s information.