What do you need to know?
The ICO has acknowledged that resources may be diverted away from usual compliance or information governance. They will not penalise organisations that need to prioritise other areas or adapt their usual approach.
Importantly, the ICO have said they cannot extend statutory timescales, but they will communicate that people may experience delays when making information rights requests to businesses during the pandemic.
As many businesses will now be working remotely, the ICO have emphasised that data protection is not a barrier to homeworking. But businesses need to consider the same kinds of security measures for homeworking that they would in normal circumstances, especially if employees are using their own devices or communications equipment.
Businesses should keep staff informed about any coronavirus cases in the organisation but should not provide any more information than necessary (you don’t need to name the individual). Businesses are obligated to ensure the health and safety of all employees. Data protection should not prevent you from doing this.
The Information Commissioner and the Chair of the European Data Protection Board have made clear that data protection rules do not stand in the way of measures to combat the effects of the pandemic. However, they stressed that data controllers should ensure they are able to rely on appropriate legal grounds when processing personal data without the consent of data subjects, such as processing that is necessary for reasons of public interest in the area of public health.
What does this mean for you?
Businesses’ obligations under Data Protection legislation have not been suspended, but the ICO is taking a reasonable and pragmatic approach to regulation of data protection. Act proportionately – if processing of personal data feels excessive, then it probably is.
If you have any data protection related questions or if you are struggling to meet your compliance obligations during this unprecedented time, then please do get in touch.