Managing Partner, Julia Rudin, and Trainee Solicitor, Aleksandra Wolek, consider how public bodies can ensure compliance with their GDPR obligations.
The data protection regime continues to ensure that people can trust organisations to use their data fairly and responsibly and it takes a flexible, risk-based approach which puts
the onus on the organisation to think about and justify how and why it uses personal data.
The outbreak of COVID-19 is affecting public sector organisations in multiple, often unexpected ways. It is understandable that local authorities may face various unprecedented challenges during this testing time and the Information Commissioner’s Office (ICO) acknowledges this.
In their recent blog post, the ICO recognised that the outbreak causes resource allocation and shortage challenges and emphasised that organisations should be taking a pragmatic approach
to data protection compliance.
The obligations
The obligations under the data protection regime, which in the UK is based on the GDPR and the Data Protection Act 2018 (DPA 2018), remain the same. Controllers are still required to ensure that the processing of personal data complies with the law and continue to pay data protection fees (the level of which continues to depend on the nature of the Controller’s business).
The Processors undertaking data processing activities on behalf of the Controllers continue to have some direct compliance obligations too.
Whatever the circumstances, the seven key principles which lie at the heart of any lawful processing of personal data remain the same:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
The rights of the data subjects
GDPR sets out various data subject rights. These too remain the same:
- The right to be informed
- The right of access
- The right of rectification
- The right of erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The ICO made it clear that, for example, it cannot extend the statutory timescales for dealing with data subject requests because of the COVID-19 outbreak but it ensured that individuals will be informed through its communication channels that they may experience understandable
delays in receiving a response.
Crucially, the ICO announced that it will not penalise organisations that need to prioritise other areas or adapt their approach during the COVID-19 outbreak. It is therefore prudent to maintain good communication with the ICO and inform them of any anticipated or ongoing difficulties as soon as possible.
It is lawful for public sector organisations, including the NHS and local authorities, to contact individuals regarding the COVID-19 outbreak – such communication is not deemed direct marketing for the purposes of the data protection regime. Public health messages can be sent to individuals either by phone, text or email without their prior consent.
Processing of personal data concerning health
The COVID-19 outbreak may make it necessary for organisations to collect personal data concerning health. Public sector bodies, including local authorities, have an obligation to protect their employees’ health as well as a general duty of care towards them and any individuals who may
be visiting their premises.
However, the ICO emphasised that these obligations do not justify collecting more information than is needed – data minimisation remains an important consideration. Any personal data that does have to be collected, must be processed with appropriate safeguards in place.
Organisations must ensure that they continue to have valid and lawful bases for processing of personal data, as required by Article 6 of the GDPR, which must be determined before the processing begins and be duly documented.
Importantly, further lawful bases as specified in Article 9 of the GDPR are required where the processing involves special category data, including information relating to health. Information relating to health will be categorised as special category data if it reveals or concerns health information.
Therefore, if your organisation has inferred or guessed details about an individual which fall into the ‘health’ category, this data may count as special category data.
To ensure that the processing is lawful, after identifying and documenting a valid lawful basis as prescribed by Article 6, organisations must also comply with at least one of the conditions for processing provided in Article 9 of the GDPR.
If an organisation is relying on the following conditions:
- Employment, social security and social protection
- Health or social care
- Public health or archiving
- Research and statistics
It also needs to meet the associated condition in UK law, as set out in Part 1 of Schedule 1 of the DPA 2018.
For example, for the public health purposes, the relevant condition could be met if the processing of personal data is necessary for reasons of public interest in the area of public health and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a
duty of confidentiality under an enactment or rule of law.
Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. If an organisation is relying on the substantial public interest condition in Article 9(2)(g), it also needs to meet one of the substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.
These include, for instance, statutory and government purposes or support for individuals with a particular medical condition.
COVID-19 and employees
It is unlikely that employers, including local authorities, will have to share health information about specific employees with various authorities for public health purposes. However, should this become a necessity, the ICO assures that the data protection regime will not stop organisations from doing so.
Similarly, organisations should keep their staff informed if any of their employees contract COVID-19, are experiencing symptoms or are self-isolating. The data protection regime does not prevent such communication, however the ICO says that it is not always necessary to name the specific individual and the information shared should be limited to the required minimum.
The current government advice requires employees to work from home as far as possible. The data protection regime does not conflict with homeworking or use of devices and communications equipment by employees at home. However, the same adequate security measures should be complied with when working at home as when working
in the office.
For more information, please contact Julia Rudin and Aleksandra Wolek.
This article is for general awareness only and does not constitute legal or professional advice. Law and guidance relating to the COVID19 pandemic is continually being updated and the law may have changed since this page was first published. If you would like further advice and assistance in relation to any issues raised, please contact us today by telephone or email covidhelp@sharpepritchard.co.uk.
