COVID-19 & GDPR

Due to the coronavirus pandemic, the Information Commissioner’s Office (ICO) has sought to adopt a somewhat flexible approach for employers when dealing with subject access request’s (SAR’s) and general queries; however even in these unprecedented times, there is still no excuse not to keep on top of such serious matters.

All businesses and organisations should, at the very least, have data protection policies in place concerning the data belonging to its customers, employees, suppliers and third parties.

The ICO have stated that they will try to avoid pursuing regulatory action at this time, although they are unable to extend the statutory timescales (e.g. 1 calendar month to respond to a SAR) and 72 hours to report a personal data breach to the ICO.

It has produced a policy document setting out its regulatory approach which is more understanding and pragmatic during the coronavirus pandemic, although it should be noted that their policy is not binding and it is only temporary. The ICO’s current leniency should not be blindly relied upon to excuse any personal data breaches, delays in reporting or ensuring policies are in place and adhered to.

In these times, with many businesses having home-working procedures in place, security is a particular concern and businesses should ensure that they have adapted their security and reporting procedures accordingly.

In deciding whether to take regulatory action, including issuing fines, the ICO has said that it will take into account what the business has in place now, the difficulties the business is facing and what it intends to put in place when the pandemic is over. Businesses would be well-advised to plan and implement Data Protection Impact Assessments (DPIA’s) when introducing or modifying systems of dealing with personal data. A DPIA is a process for a business to understand, analyse and minimise the risks which a new system could bear.

Since its introduction, the EU data regulatory authorities have issued more than £400 million in fines. Recently, the ICO fined a London-based pharmacy £275,000 for failing to ensure the security of special category data (being medical records). The company left 500,000 documents dated between 2016 and 2018 in unlocked containers at its premises in Edgware which included the names, addresses, medical information and prescriptions of people. The Director of Investigations at the ICO said:

“The careless way Doorstep Dispensaree [the company/data controller] stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

The ICO decided that “the systemic nature of Doorstep Dispanseree’s data protection failure is underlined by the fact that its policies and procedures are outdated and inadequate”.

When considering the level of fine to impose, the ICO took the following into account:

• Nature of the breach;
• Gravity of the breach;
• Duration of the breach;
• Number of data subjects affected; and
• Damage caused by the breach.

It is therefore imperative that businesses have bespoke policies in place (which are regularly reviewed and updated), and frequently re-enforce their practices for their own staff on how to follow them.

The ICO’s key messages during the pandemic which applies to most individuals include the following:

1. Government, the NHS and other organisations will make sure you get vital public health messages via phone, email or text. You don’t need to give them your consent.
2. You might be asked to give details about sensitive health conditions and recent travel that you think are excessive. Employers and organisations do have an obligation to protect their staff, so in some cases it can be reasonable for them to ask you if you have experienced coronavirus symptoms. But they shouldn’t be asking for more information than is necessary, and if you are concerned speak to the organisation involved.
3. If you become ill with coronavirus, your employer might need to tell your colleagues. But that doesn’t mean they need to give out your name.
4. If you’ve made a Freedom of Information request from a public body or made a subject access request (SAR) for your own information, you should expect delays in response. That’s because organisations are diverting their resources to help with other challenges.

If you would like to discuss how we can help you or draft bespoke data protection policies, assist any ICO investigations, reply to any SAR’s or conduct a DPIA on your behalf, contact our Regulatory team on 01484 519 999 or email nicholasworsnop@chadlaw.co.uk or harveyblake@chadlaw.co.uk today.