This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

Data Protection and COVID-19: sorting through the guidance

The ICO has been a little late to the game in publishing guidance in relation to COVID-19 but today published some FAQs largely targeting healthcare practitioners but with a few useful pointers for others. Guidance has also been published by other data protection authorities including in Ireland, Poland, France, Italy and Denmark. Unfortunately, the advice is not entirely consistent and, combined with some rather dubious interpretations of GDPR which are circulating online, the result has been companies getting more rather than less confused. Here are some key practical issues to bear in mind:

1) Remote working: check that appropriate IT security assessments have been undertaken and that staff are reminded about compliance with company policies even when working from home. Consider carefully what contact details are needed for workers bearing in mind it won't be proportionate to circulate everyone's private contact details. Can technology solutions be used to contact people instead?

2) Health checks: it won't be proportionate to undertake health checks on staff such as temperature checks. Many of the health exemptions in GDPR that people are talking about apply to public and health authorities and not to private data controllers.

3) Health data: there will be some variations at member state levels. In most jurisdictions it won't be appropriate to proactively collect or record COVID-19 health information about staff  or of their family and friends. Nor should it be proportionate to circulate the name of affected individuals around the company. Think about confidential reporting channels for staff, what minimum information is necessary to be processed. DPAs have varied in their approach and practical advice on this but the key is to keep it very minimal.

4) Transparency: consider whether updated notices need to be issued to staff about the use of their data in the context of COVID-19.

5) Accountability: make sure decisions around personal data processing are recorded. Data protection impact assessments may be appropriate.


coronavirus, gdpr, ico, entertainment & media, covid-19