The United Kingdom’s Information Commissioner’s Office has provided it’s guidance on COVID-19 and data privacy.

  • Public health messages are not direct marketing.
  • It’s about being proportionate – if some data processing feels excessive, then it probably is.
  • The ICO is a reasonable and pragmatic regulator… Regarding compliance with data protection, it will take into account the compelling public interest in the current health emergency.
  • The ICO will take into consideration delays in responses (e.g. to data subject rights) due to diversion of resources to dealing with the virus.

DO: Keep staff informed about cases in your organization…but don’t name names or provide more information than necessary.

  • ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms
  • ask visitors to consider government advice before they decide to come
  • advise staff to call emergency services if they are experiencing symptoms or have visited particular countries

AVOID: Collecting specific health data

HOWEVER: If it is necessary, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Read the full guidance from the ICO.