UK: ICO issues statements on data protection and Coronavirus
The Information Commissioner's Office ('ICO') issued, on 12 March 2020, a statement ('the Statement') on general information regarding data protection and the COVID-19 ('Coronavirus') epidemic, and a further statement specifically relating to data controllers ('the Data Controllers Statement'). In particular, the Statement highlights that data protection and electronic communication rules do not prevent the Government, the National Health Service ('NHS'), or any other health professionals from sending public health messages to people without their consent, either by phone, text, or email, as these messages are not considered direct marketing. The Statement further mentions that public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
In addition, in the Data Controllers Statement, the ICO assured data controllers that it would not take regulatory action against them in case their practices fail to meet their usual standard or where their response to information rights requests take longer. Even though statutory timescales may be extended, data subjects will be informed by the ICO of the possibility of experiencing delays when making information rights requests. Furthermore, in terms of security, the Data Controllers Statement notes that data controller staff may work from home by using their own device or communications equipment, and that data controllers should keep staff informed about confirmed Coronavirus cases, without disclosing unnecessary information. Lastly, the ICO stated that should it be necessary, data controllers may collect employee and visitor medical data, and share this with public authorities.