As the coronavirus pandemic escalates we are starting to grapple with the challenges posed by a way of life in which lockdowns, home working and social distancing are the new norm, at least for the immediate future.
During such an unprecedented time, you may have some concerns about how your personal data is being processed by different organisations, including by your employer. Perhaps you are wondering whether you can still exercise your information rights under the GDPR, such as the right to access your data or have it deleted. We have put together this guidance to try to address some common concerns and provide you with some clarity as to how your personal data might be used in managing the coronavirus pandemic. If you have a question that is not covered in the guidance or you require assistance in respect of a data protection issue, please do not hesitate to contact us. Although we are now working home, it is otherwise business as usual for the Birketts data protection team.
Can the Government, NHS or other healthcare organisations contact me about the coronavirus without my consent?
The Government, NHS and other healthcare organisations will contact you by phone, email or text to ensure that you receive important public health messages. They do not need your consent to do this. However, if retailers or service providers wanted to send you marketing messages about goods or services that they thought might be of particular interest to you in light of the coronavirus pandemic, they would still need to follow the usual rules for sending direct marketing so may need your consent.
Can my employer ask if I’m suffering any symptoms or where I’ve travelled to/from?
Your employer has a legal duty to protect the health and safety of all of its employees. To ensure that it can identify any risks within your workplace, it is reasonable for it to ask you to provide this information. However, it should only ask for as much information as it actually needs to keep you and your colleagues safe and it should only keep the information for as long as it reasonably needs it for that purpose. If you have any concerns about how much information is being requested or how long the information is being kept you should raise this with your employer. If you are still concerned after having spoken to your employer, you may wish to contact the ICO.
If I am showing symptoms of COVID-19, can my employer tell my colleagues?
Your employer has a duty to keep all of its employees safe so if someone in the workplace has become ill with COVID-19 (or shows symptoms of COVID-19) it will need to let others know, particular if it means they will need to self-isolate or be asked to stay away from the workplace. If possible, your employer should avoid naming you specifically but this cannot guarantee that your colleagues will not realise you are ill, particularly if you work in a small team.
I have made a subject access request. Does the organisation still need to comply with my request and will it take them longer to do so?
Organisations do still need to comply with subject access requests (and any other request from an individual to exercise their rights under data protection law). However, many organisations have had to divert resources away from data protection compliance to deal with the pandemic and you well may experience a delay in receiving a response. The ICO has confirmed that it does not intend to penalise organisations in this situation.
I have heard that some countries want to track people using mobile phones to manage the outbreak. Can they really do that?
Mobile carriers have begun sharing anonymised data with health authorities in some countries such as Italy and Germany and it is possible that this may happen in the UK too. You should not be overly concerned by this. The regulators have made it very clear that only anonymous data (that is, data that cannot identify you) should be shared for this purpose. If the data cannot be anonymised, it can only be shared after special legal measures have been introduced to ensure that you remain protected.
I would like to set up a community group to help people in my area during the pandemic but I am worried that I might be breaking data protection laws if I do.
You are right to recognise that you will need to be careful about how you use people’s information but please do not let fears over data protection stop you helping others in your community. The ICO has published an excellent blog telling you what you will need to do to make sure you comply with data protection laws and has provided resources to help you. You can find the blog on the ICO’s website at https://ico.org.uk/about-the-ico/news-and-events/blog-community-groups-and-covid-19/.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at March 2020.