Managing Data Protection Law when responding to COVID-19
As businesses introduce strategies to manage the outbreak of COVID-19 and begin implementing business continuity plans, they should take a minute to consider their obligations under the applicable data protection legislation.
As the UK remains in the ‘Containment Phase’ for now, businesses are providing employees with information on how best to prevent the spread of Covid-19 such as washing your hands. However, as the number of COVID-19 cases increases, businesses are implementing containment policies that include asking employees to share and report their location (including for personal and business travel) as well as providing health information on request. Location data constitutes personal data under data protection law and health information is ‘sensitive personal data’, which requires additional consideration.
What do businesses need to consider?
- Fair and lawful processing: In order to collect and process employee location and health data businesses should consider their ‘legal basis for processing’ under data protection law (i.e. legitimate interest, consent etc). Is additional processing of data in response to COVID-19 compatible with the purposes for which it was initially collected and have you provided fair processing information?
- Storage: Data security requirements still apply to the processing of personal data. This means businesses must ensure they have organisational and technological processes in place to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data.
- Anonymisation: Anonymisation should always be used with caution as personal data must be ‘truly anonymous’ meaning the individual is no longer indirectly or directly identifiable. In South Korea safety guidance texts were sent to citizens which included the past movements of people recently diagnosed with Covid-19 and while they were believed to be anonymised, individuals were indirectly identified through the information disclosed in the texts. Had this happened in the UK, it would likely have been an infringement of data protection law.
- Do any exemptions apply? There are exemptions under data protection law for personal data processed where required by law, to protect the public (subject to defined categories) and in relation to health (under limited circumstances).
- Data Protection Impact Assessment (DPIA): Consider undertaking a DPIA to assess the risk of processing personal data with any changes your organisation is implementing. Undertaking a DPIA will help you identify and reduce any data protection risks.
For more information, please contact Jonathan McDonald or Olivia Crane.
Our thinking
Mark Howard
Charles Russell Speechlys advises Content+Cloud on the acquisition of award-winning service provider Azzure IT
Content+Cloud continues its growth journey, this is our 7th successful transaction for them.
Sarah Keens
Being Green - The Struggle for Power
Everything you need to know about Green Leases
Rose Carey
Is the UK open for business? A discussion with the Home Office
We hosted an immigration webinar with the policymakers from the Home Office.
Louise Ward
Louise Ward writes for EG on what UK investors can gain from an overseas life sciences partner
What UK investors can gain from an overseas life sciences partner
Sonia Kenawy
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
David Haines
New Arbitration Scheme for Commercial Arrears goes live
Everything you need to know about the new Arbitration Scheme for Commercial Arrears
Charlotte Healy
Charlotte Healy and Katie Bewick write for Pharmacy Business on expert determination
Charlotte Healy and Katie Bewick write for Pharmacy Business on expert determination
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Charlotte Duly
Charlotte Duly writes for CITMA Review on the China Tang trade mark infringement case
Charlotte Duly writes for CITMA Review on the China Tang trade mark infringement case
Mark Howard
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Jonathan McDonald
Announcement of a new Data Bill as part of the Queen's Speech
Oliver Park
Building Safety Act 2022
Everything you need to know about the Building Safety Act 2022
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Claire Fallows
CoStar quotes Claire Fallows on the new infrastructure levy announced in the Queen's Speech
CoStar quotes Claire Fallows on the new infrastructure levy announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Hope Wilson
Hope Wilson writes for the EG Legal Q&A on qualifying criteria
Hope Wilson writes for the EG Legal Q&A on qualifying criteria
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Mark Howard
Charles Russell Speechlys advises Europa Oil & Gas (Holdings) plc on its £7m equity fundraising
Europa Oil and Gas is a renewable energy, oil and gas development and production company.
Emma Humphreys
Property Patter: what’s been happening in the world of Essential Residential?
We discuss recent cases of interest to those dealing with residential property.
David Savage
David Savage writes for PBC Today on the end of rebated fuel
David Savage writes for PBC Today on the end of rebated fuel