It goes without saying that the COVID-19 pandemic has drastically changed our daily lives. Many of us are adapting to government-issued restrictions, remote working, and other measures designed to combat the spread of the virus. Andy Gilman, President and CEO of CommCore Consulting once said that “the secret of crisis management is not good versus bad, it’s preventing the bad from getting worse.”
Despite the crisis, as counsel and compliance professionals working in-house or in private practice, we must remain ready to advise our client(s) on how best to comply with applicable laws and regulations to ensure that we too prevent the bad from getting worse.
Responding to the COVID-19 outbreak has involved applying established laws and adapting company policies to a novel situation. This is certainly the case for data protection law where both private and public sector initiatives have required the processing of personal data, whether for the processing of employee data to detect and control the spread of the virus in the workplace, for the work of community groups, or the processing of location data to combat the spread of COVID-19 using contact tracing technology (see legal updates here, here and here).
The European Data Protection Board (EDPB) released a statement on the processing of personal data in the context of the COVID-19 outbreak, looking at the obligations of both public authorities, as well as employers and the relevant data protection considerations applicable to each. The EDPB also touched on the use of telecommunications data and location data, on which it then produced more detailed guidance, as well as guidance on processing health data for research purposes.
In the UK, the Information Commissioner’s Office (ICO) has created a data protection and coronavirus information hub which includes some helpful but high-level information for health authorities, employers and those developing contact tracing apps. The ICO has also released guidance concerning its stance on regulatory enforcement during the pandemic, in which it recognises that the pandemic requires it to reassess its priorities and its resourcing, and therefore to take an “empathetic and pragmatic approach” to regulation (see the legal update here).
The available lawful basis under GDPR and UK law will differ depending on the context and purpose of the data processing. For ease, we have reproduced the main lawful bases in this set of tables.
Whatever the context of the processing, identifying the appropriate lawful basis is in itself only the beginning. Organisations will need to consider compliance with the data protection principles as well as the data controllers’ legal obligations under the GDPR and the Data Protection Act 2018.
One of the key obligations in the context of COVID-19 for the processing activities set out in the table is the requirement to carry out a data protection impact assessment (DPIA). A DPIA is most likely required given the categories of data that will be processed (i.e. health data) and the data subjects whose data will be processed (employees, patients or other vulnerable individuals).