The United Kingdom’s Information Commissioner’s Office has provided it’s guidance on COVID-19 and data privacy.
- Public health messages are not direct marketing.
- It’s about being proportionate – if some data processing feels excessive, then it probably is.
- The ICO is a reasonable and pragmatic regulator… Regarding compliance with data protection, it will take into account the compelling public interest in the current health emergency.
- The ICO will take into consideration delays in responses (e.g. to data subject rights) due to diversion of resources to dealing with the virus.
DO: Keep staff informed about cases in your organization…but don’t name names or provide more information than necessary.
- ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms
- ask visitors to consider government advice before they decide to come
- advise staff to call emergency services if they are experiencing symptoms or have visited particular countries
AVOID: Collecting specific health data
HOWEVER: If it is necessary, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.