The ICO has created an information hub for organisations and individuals with guidance on how to tackle data protection issues in their response to COVID-19. The ICO’s main message is that the data protection law will not stop organisations in responding to the crisis.
The hub contains several sections dedicated to organisations, individuals concerned about their personal data, community groups assisting the vulnerable, and healthcare professionals.
In a section dedicated to data controllers, the ICO has published responses to FAQs reflecting the questions its helpline has received in the past few weeks, including guidance on the following:
- Advice to data controllers on conditions for sharing employee health data – data minimisation and necessity principles must apply (avoid naming individuals with Covid-19, if it is not necessary); and
- Advice to apply usual security measures for homeworking to keep personal data safe
In a section dedicated to individuals the ICO advises that response times from organisations to their on requests to exercise rights may be understandably slow. The ICO does not expressly call out these rights, for example a right of access to personal data. However, it is expected that the ICO would be more lenient about deadlines for responding to a request to exercise the right of access and take into account the current situation, where organisations are diverting their resources to tackle other issues.
The ICO promises to keep the hub updated to reflect the changes in the response to the pandemic.