Skip to content

Insights

  1. Home
  2. News & Insights
  3. Insights
  4. Managing Data Protection Law when responding to COVID-19
10 March 2020

Managing Data Protection Law when responding to COVID-19

As businesses introduce strategies to manage the outbreak of COVID-19 and begin implementing business continuity plans, they should take a minute to consider their obligations under the applicable data protection legislation. 

As the UK remains in the ‘Containment Phase’ for now, businesses are providing employees with information on how best to prevent the spread of Covid-19 such as washing your hands.  However, as the number of COVID-19 cases increases, businesses are implementing containment policies that include asking employees to share and report their location (including for personal and business travel) as well as providing health information on request.  Location data constitutes personal data under data protection law and health information is ‘sensitive personal data’, which requires additional consideration. 

What do businesses need to consider?

  • Fair and lawful processing: In order to collect and process employee location and health data businesses should consider their ‘legal basis for processing’ under data protection law (i.e. legitimate interest, consent etc).  Is additional processing of data in response to COVID-19 compatible with the purposes for which it was initially collected and have you provided fair processing information?
  • Storage: Data security requirements still apply to the processing of personal data.  This means businesses must ensure they have organisational and technological processes in place to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data.
  • Anonymisation: Anonymisation should always be used with caution as personal data must be ‘truly anonymous’ meaning the individual is no longer indirectly or directly identifiable.  In South Korea safety guidance texts were sent to citizens which included the past movements of people recently diagnosed with Covid-19 and while they were believed to be anonymised, individuals were indirectly identified through the information disclosed in the texts. Had this happened in the UK, it would likely have been an infringement of data protection law.
  • Do any exemptions apply? There are exemptions under data protection law for personal data processed where required by law, to protect the public (subject to defined categories) and in relation to health (under limited circumstances).
  • Data Protection Impact Assessment (DPIA): Consider undertaking a DPIA to assess the risk of processing personal data with any changes your organisation is implementing.  Undertaking a DPIA will help you identify and reduce any data protection risks.

For more information, please contact Jonathan McDonald or Olivia Crane.

News & Insights

Show all News & Insights
News

Charles Russell Speechlys launches as Hong Kong firm and welcomes litigator Ray Ng

Charles Russell Speechlys is launching as a Hong Kong law firm today and welcoming experienced litigator Ray Ng to the team.

Continue Reading
News

Charles Russell Speechlys continues international expansion with the hire of four new partners

We are delighted to announce the hire of four new partners across four of our offices.

Continue Reading
Insights Charlotte Duly

IP in a Pod: Social Media

What IP issues surround the use and protection of hashtags, memes, GIFs and stickers?

Continue Reading
Insights Mark Summers

Midshore or Midtown? Changing trends in wealth structuring for Latin American clients

Our panel discussed how Latin American international wealth structuring is changing, current trends and the impact of economic substance.

Continue Reading
TOP