The ICO has been a little late to the game in publishing guidance in relation to COVID-19 but today published some FAQs largely targeting healthcare practitioners but with a few useful pointers for others. Guidance has also been published by other data protection authorities including in Ireland, Poland, France, Italy and Denmark. Unfortunately, the advice is not entirely consistent and, combined with some rather dubious interpretations of GDPR which are circulating online, the result has been companies getting more rather than less confused. Here are some key practical issues to bear in mind:
1) Remote working: check that appropriate IT security assessments have been undertaken and that staff are reminded about compliance with company policies even when working from home. Consider carefully what contact details are needed for workers bearing in mind it won't be proportionate to circulate everyone's private contact details. Can technology solutions be used to contact people instead?
2) Health checks: it won't be proportionate to undertake health checks on staff such as temperature checks. Many of the health exemptions in GDPR that people are talking about apply to public and health authorities and not to private data controllers.
3) Health data: there will be some variations at member state levels. In most jurisdictions it won't be appropriate to proactively collect or record COVID-19 health information about staff or of their family and friends. Nor should it be proportionate to circulate the name of affected individuals around the company. Think about confidential reporting channels for staff, what minimum information is necessary to be processed. DPAs have varied in their approach and practical advice on this but the key is to keep it very minimal.
4) Transparency: consider whether updated notices need to be issued to staff about the use of their data in the context of COVID-19.
5) Accountability: make sure decisions around personal data processing are recorded. Data protection impact assessments may be appropriate.