COVID-19 and Data Protection
One positive aspect to come out of the coronavirus is seeing how communities have come together to help those vulnerable or struggling, whether it be doing the weekly shop for an elderly neighbour, supplying learning resources to a parent home-schooling their child, or checking in on someone in the "at-risk" category from time to time.
Those involved in the community group will need to share information in order to co-ordinate an appropriate and efficient response. Often this will be done electronically and will involve sharing, often very sensitive, personal data. Whilst data protection is unlikely to be at the forefront of any community discussions, it is, nonetheless imperative that appropriate protections are put in place.
As with any new or sensational event, the number of fraudsters seeking to exploit the situation is alarming. Coronavirus email scams are rife with cybercriminals preying on mounting virus concerns to extort information. With an increased amount of personal data being shared within community groups (often with individuals who are unfamiliar with data protection requirements), it leaves a potential weak spot which criminals may seek to tap into during this period.
With that in mind, the Information Commissioner's Office (ICO) has produced some guidance to assist community groups on how they can apply the law in this extraordinary time. The ICO is keen to stress that it is not there to shackle community groups, but to assist in maximising the protection afforded to those individuals who such groups are seeking to help. Below are a few of the key points from the ICO's guidance.
- Be transparent with individuals about what you are going to do with their personal data. Ideally information should be provided by means of a privacy notice (and the ICO has produced a template which can be shared with individuals), but if that will delay vital support then such information can be provided verbally.
- Keep sharing personal data when appropriate (for example, when sharing is necessary for public safety), but think ahead about who you might need to share personal data with (for example the local council or emergency services), in what circumstances personal data might need to be shared, and what measures should be put in place to ensure that this can be done securely and without risk to the individuals.
- Ensure that there is a lawful basis for collecting and handling the personal data. For example, is it in the individual's or a third party's legitimate interests? Has the individual given clear and unambiguous consent to the use of their personal data? Is it necessary to save someone's life? If the answer to any of the above is "yes", then you will have a lawful basis. If you are handling any special category personal data (for example, health information), then you will need an additional ground for processing. Typically you can handle and share this type of personal data if you have explicit consent to do so, if it is necessary to save someone's life or if you need to process the personal data to protect a person at risk (whilst there are other grounds, the above are likely to be the most relevant).
- Keep the personal data secure. Think about the impact it would have on the individuals if their data became lost or stolen, and apply appropriate measure to reasonably reduce the risk of that happening.
- Only collect and use the minimum amount of personal data required to fulfil the objectives you are seeking to achieve, and delete or destroy such personal data once you no longer need it.
- Keep a record of any decisions you make in respect of the use of personal data.
If you have any queries in respect of any of the matters discussed in this article, please do not hesitate to contact a member of our Commercial Team.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.