The ICO has published a statement in response to the current Coronavirus crisis. Click here to see it.
In highlight, the statement looks at issues relating to compliance during difficult business times, and around disclosure of some personal information in the context of dealing with the virus and its control.
The main takeaway from this statement is that the ICO will adopt a common sense approach. For example, although statutory times set for responses cannot be changed, the ICO acknowledges the problems for staff and finances for business where work has been diverted from usual compliance work.
The ICO will not penalise businesses where issues arise due to changed priorities because of the crisis.
The statement makes expressly clear that messages from government, NHS or other healthcare professionals – however delivered – are not marketing messages and are not prevented by data protection or privacy laws.
Whilst an employer may need to keep other employees up to date about Covid-19 cases amongst their employees, the personal information disclosed should be no more than is necessary. If there is not a need to identify the employee, don’t. However if there is to comply with a duty of care to employees, that duty of care to employees should trump the issue of a disclosure. This also applies to the collection of health data; keep the collection to what is strictly necessary for the purposes of maintaining the duty of care to stay on the right side of data protection issues.