To print this article, all you need is to be registered or login on Mondaq.com.
On March 12, 2020, the Information Commissioner’s Office
(ICO), the U.K.’s data protection authority (DPA), published
Guidance for data controllers on their data
protection compliance obligations during the COVID-19 pandemic. The
take-away point is that the ICO will take into account “the
compelling public interest in the current health emergency”
and will take a “reasonable and pragmatic” approach to
enforcing data protection obligations. In light of this Guidance,
the question of what particular steps are proportionate, in terms
of General Data Protection Regulation (GDPR) compliance, will be of
increasing importance while organizations and individuals navigate
The ICO states that it does not operate in isolation from
matters of serious public concern. It recognizes the unprecedented
challenges faced by data controllers as well as by society at large
during the pandemic, and acknowledges the potential needs of
organizations to share information quickly or adapt the way in
which they work at short notice. The Guidance provides answers to
six frequently asked questions about compliance with the GDPR
during the COVID-19 pandemic, as summarized below.
1. Responding to data subject access requests (SARs)
The Guidance states that although the ICO cannot modify
statutory timescales, it will not penalize organizations that it
knows need to prioritize other areas or adapt their usual approach.
Additionally, the ICO states that it has made provisions to inform
the public through its own communication channels that they may
experience delays when making SARs during the pandemic.
2. Health care organizations contacting individuals about
COVID-19 without prior consent
The Guidance clarifies that the GDPR and electronic
communication laws do not stop the U.K. government, the U.K.
National Health Service or any other health professionals from
sending public health messages (including about COVID-19) to
people, either by phone, text or email, because these messages are
not direct marketing.
In a nod to making use of technological advances, the ICO
further states that data protection laws do not stop health
professionals from using the latest technology to facilitate safe
and speedy consultations and diagnoses. Further, the Guidance
recognizes that public bodies may require additional collection and
sharing of personal data to protect against serious threats to
public health, as in the current pandemic.
3. Security measures and homeworking arrangements
During the pandemic, employees may work from home more
frequently than usual. The ICO’s view is that data protection
is not a barrier to increased and different types of homeworking.
However, the ICO advises that organizations should consider
adopting the same kind of security measures for homeworking that
would be used under normal circumstances (see further details
4. Informing employees that a colleague may have contracted
The GDPR does not prevent organisations from keeping staff
informed about cases of COVID-19 among their workforce. However,
data controllers must be prudent not to name individuals or to
provide more information to colleagues than strictly necessary.
5. Collecting health data relating to COVID-19 from
Organizations must ensure that they do not collect more data
than they need and that any data collected in connection with the
pandemic must be treated with the appropriate safeguards. Examples
of reasonable data collection may include asking employees (and/or
visitors to an organization) whether they visited a particular
country or whether they are experiencing COVID-19 symptoms.
6. Sharing employees’ health information with
The GDPR will not stop organisations from sharing information
with authorities about specific individuals, although it is
unlikely that organisations will be required to do so in the first
Guidance from the EDPB and other DPAs
All (apart from three, at the time of writing) other European
DPAs have now issued guidance on the impact of COVID-19 on GDPR
compliance obligations. It is possible that as the global spread of
COVID-19 continues to develop, European DPAs may revisit their
On March 19, 2020, the European Data Protection Board (EDPB)
also adopted a formal statement on the processing of personal
data in the context of the COVID-19 outbreak. The EDPB states that
data protection rules, such as the GDPR and the e-Privacy
Directive, do not hinder measures taken in the fight against the
coronavirus pandemic. The EDPB underlines, however, that even in
these exceptional times the data controller and processor must
ensure the protection of the personal data of the data subjects. A
number of considerations should therefore be taken into account to
guarantee the lawful processing of personal data. The EDPB states
that in all cases any measure taken in this context must respect
the general principles of law and must not be irreversible. Certain
issues, such as the use of mobile location data and matters
concerning data protection in the employment sector, are
specifically addressed in the EDPB’s statement.
Further, guidance about the impact of COVID-19 on data
protection laws has been published by a few regulators outside the
European Union, including Switzerland, Norway, Russia, Hong Kong,
Singapore, Australia and Canada.
Please consider Akin Gump’s online COVID-19 Resource Center in relation to issues
relevant to data protection, such as remote working,
business/personal travel quarantine and sick leave obligations.
Please get in touch with a member of the Akin Gump team if you
would like more information on how your organization can ensure
that it meets its data compliance obligations during the
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.