As all companies and data controllers should be aware, the General Data Protection Regulations (GDPR) have been in full force for nearly two years now, governing what companies and data controllers do with the personal data they obtain from their customers and employees, and providing robust regulations in the data protection and privacy space. As a result, the Information Commissioner has been handing out hefty fines for breaches of the GDPR.
Needless to say, at this time of extraordinary disruption during the covid-19 outbreak, spreading across the entirety of Europe (and most of the world) at the moment, the ICO has vowed to take a "reasonable and pragmatic" approach to data protection regulation.
On 12 March 2020, the ICO published some helpful guidance stating that it will not immediately punish companies which are not able to handle data or information requests in a timely manner. Huge resource is currently being diverted towards ensuring remote working procedures function properly and in enabling companies to provide all employees with the ability to carry on in a "business as usual" fashion as much as possible.
Although statutory timescales will not be extended, where extensions can be granted they should be requested and the public will be notified that delays are to be expected during this unprecedented pandemic.
A common sense approach should be taken when it comes to collecting personal data about employees, in particular in relation to their recent health and travel history. Furthermore, the government, the NHS and other relevant public bodies will be expected to collect additional data at this time and to share additional health messages through various platforms (such as email or text) without prior consent, because this does not count as direct marketing.
The key takeaway from the ICO's guidance so far is this: "It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is."
For the full guidance as published so far, please see here: ICO: Data protection and coronavirus: what you need to know.
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/data-protection-and-coronavirus/The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.