30 March 2020
Data protection and coronavirus: ICO publishes guidance
The Information Commissioner’s Office (ICO) – the UK’s data protection authority – has published guidance on data protection compliance during the current coronavirus (COVID-19) pandemic.
While the guidance reminds organisations that data protection laws will continue to apply and the core principles of data processing must be adhered to, the ICO has also sought to provide reassurance that it will not operate in isolation from matters of serious public concern, and will continue to act as a reasonable and pragmatic regulator.
In particular, the ICO acknowledges the importance of organisations being able to work together to respond effectively to the pandemic, noting that data protection laws will not stop this from happening. Indeed, there are already provisions within the existing data protection laws that permit processing of personal data where such processing is necessary for the performance of a task carried out in the public interest or for the protection of an individual’s vital interests.
Advice for data controllers
The ICO has produced a Q&A feature to address some of the most common questions arising in relation to data processing during the pandemic.
The regulator acknowledges that financial and human resources may be diverted away from usual governance and compliance matters, and goes on to say that “[w]e won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.”
While it is not within the ICO’s control to extend statutory timescales for things like responding to data subject access requests, the ICO is at least telling people through its own channels that, understandably in the present circumstances, they may experience delays when making information rights requests.
Home working and cyber security
In accordance with the Government’s guidance to stay at home, millions of us are now home working and many for the first time. These changes to our working habits are, and are likely to continue to be, a huge challenge for IT and communications infrastructure, and organisations’ systems may be more vulnerable to attack as a consequence.
The National Cyber Security Centre (NCSC) has released guidance to help organisations reduce the risk of cyber attack on homeworking devices.
Everyone has been affected by the coronavirus outbreak, but it is often in times of adversity that the best of humankind reveals itself. A number of community groups have sprung into action to support the work of existing services and charities and to help those in our society who are most vulnerable.
These community groups may find that they are handling personal information for the first time, or at least in greater quantities than before. Some of it, such as information about an individual’s health, may be particularly sensitive.
To help community groups handle people’s data responsibly, the ICO has set out some data protection basics and other useful tips in a recent blog post, ‘Community groups and COVID-19: what you need to know about data protection’.