Managing Data Protection Law when responding to COVID-19
As businesses introduce strategies to manage the outbreak of COVID-19 and begin implementing business continuity plans, they should take a minute to consider their obligations under the applicable data protection legislation.
As the UK remains in the ‘Containment Phase’ for now, businesses are providing employees with information on how best to prevent the spread of Covid-19 such as washing your hands. However, as the number of COVID-19 cases increases, businesses are implementing containment policies that include asking employees to share and report their location (including for personal and business travel) as well as providing health information on request. Location data constitutes personal data under data protection law and health information is ‘sensitive personal data’, which requires additional consideration.
What do businesses need to consider?
- Fair and lawful processing: In order to collect and process employee location and health data businesses should consider their ‘legal basis for processing’ under data protection law (i.e. legitimate interest, consent etc). Is additional processing of data in response to COVID-19 compatible with the purposes for which it was initially collected and have you provided fair processing information?
- Storage: Data security requirements still apply to the processing of personal data. This means businesses must ensure they have organisational and technological processes in place to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data.
- Anonymisation: Anonymisation should always be used with caution as personal data must be ‘truly anonymous’ meaning the individual is no longer indirectly or directly identifiable. In South Korea safety guidance texts were sent to citizens which included the past movements of people recently diagnosed with Covid-19 and while they were believed to be anonymised, individuals were indirectly identified through the information disclosed in the texts. Had this happened in the UK, it would likely have been an infringement of data protection law.
- Do any exemptions apply? There are exemptions under data protection law for personal data processed where required by law, to protect the public (subject to defined categories) and in relation to health (under limited circumstances).
- Data Protection Impact Assessment (DPIA): Consider undertaking a DPIA to assess the risk of processing personal data with any changes your organisation is implementing. Undertaking a DPIA will help you identify and reduce any data protection risks.
News & Insights
Focus Antitrust - 23 September 2020
The latest edition of our regular Focus Antitrust update.
Charles Russell Speechlys sponsor The Sunday Times Fast Track 100 ‘Outstanding Achievement’ award
Taking a glimpse into the 23rd Sunday Times Fast Track virtual conference and awards dinner.
Relief for Private Dental Practices? – Update following the verdict of the FCA’s business interruption insurance test case
Providing clarity on compensations for dental practices who were forced to close due to the COVID-19 pandemic.