Coronavirus - Data protection - the UK

• United Kingdom

• Coronavirus - Country overview
• Coronavirus - Data and Cyber Security issues

09-03-2020

Organisations are grappling with a number of data protection compliance issues when looking to process personal data (in particular, health and travel related information) in connection with their containment, management and mitigation strategies for the spread of the novel coronavirus (“COVID-19”). Organisations are considering a range of options, some with deepening levels of data collection from staff, suppliers, visitors and others. The data protection concerns are at a basic level similar globally, however the degree of restriction, the corresponding compliance risk and solutions will vary from country to country, depending on local circumstances, laws and guidance. COVID-19 testing data protection resilience in the face of a crisis and forcing some tough risk based decisions and assessments in some instances, testing the edge of necessity and legislative permissions which were not drafted with this sort of crisis in mind. Set out below is an overview of the key data protection issues that organisations should consider from a UK perspective.

What’s the main data protection issue I need to be concerned about?

Under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act 2018 (“DPA”), ‘special categories’ of personal data require an additional layer of protection because they are particularly sensitive. Information about an individual’s health is a ‘special category’ of personal data, and the ability to lawfully collect it is much more limited. Information about an individual’s travel history will be personal data, and depending on the context may also be considered a special category of personal data.

When can we process special category personal data?

Special category personal data (“SCPD”) may only be processed (which includes any sharing) where a lawful basis under Article 6 GDPR applies and also a separate condition for processing – those separate conditions are set out in Article 9 GDPR, and sections 10-11 and parts 1 and 2 of Schedule 1 DPA. Controllers will also need to be able to sufficiently justify the processing in being able to show that it is a necessary, reasonable and proportionate way of meeting the relevant rights or obligations in play.

It is important to note that these sections of the DPA 2018 build on the GDPR lawful purposes, and so if you are trying to work out whether you can take the same approach around the EU it will be important to check the position in the relevant country. There may be other local laws which come into play as well as a cultural position and expectation which necessitates an even more restricted approach.

Controller organisations may process SCPD when the data subject has given their explicit consent to the processing for one or more specified purposes, except where UK law provides that this is not permitted. By way of reminder, consent must be freely given, specific, informed and unambiguous indication of individual’s wishes by statement or clear affirmation, by which they signify their agreement to the processing. However, as a general rule, in the UK (and EU) consent should not be relied on in an employment context – in particular because of concerns about whether it is freely given. In addition, controllers should be wary that data subjects are entitled to withhold or retract their consent at a point in the future. In the event of such a refusal or retraction, the controller is not necessarily permitted to switch to another lawful basis for processing.

Are we collecting more personal data than is really necessary?

As explained above, for these other lawful basis to apply, the processing typically has to be necessary. Alongside that the data minimisation principle must be complied with – in other words, controllers should always think about whether the personal data adequate, relevant and limited to what is necessary in relation to the relevant purposes. This is a particularly salient point to remember in the context of the response to COVID-19. Take a moment to step back and consider whether the same goals can be achieved by a simple reframing from a question, or alternative process.

Individuals’ rights

The usual requirements around provision of information to the relevant data subjects (Articles 13 and 14 GDPR) will apply. Existing fair processing notices should be checked to see whether they address the relevant data processing.

Other data subject rights will remain relevant, including:

• the right of access (Article 15);
• the right to erasure (Article 17); and
• the right to object to the processing of their personal data where it is processed on the basis of Articles 6(1)(e) or (f) (Article 21),

and controllers will need to have processes in place to deal with requests exercising these rights.

Other considerations

In addition, controllers may need to consider whether:

• a data protection impact assessment should be carried out, in cases where the relevant processing is likely to result in a high risk to individuals;
• a legitimate interests assessment is required, in cases where Article 6(f) is in play;
• an ‘appropriate policy document’ has been or needs to be implemented in order to meet a Schedule 1 condition for processing under the DPA. The document must include the relevant condition(s) for processing the data, how the controller can satisfy a lawful basis for that processing, and specific details about applicable retention and deletion policies;
• any contract(s) should be put in place to govern the sharing of SCPD – for example, where personal data is passing between a customer company and its supplier to help manage COVID-19 risks;
• records of processing activities should be updated to reflect any new personal data processing activities as a consequence of the COVID-19 outbreak;
• technical and organisational measures have been implemented to ensure the security of the personal data appropriate to the level of risk; and
• any Data Protection Officer and/or EU representative should be appointed as a result of any large-scale processing of SCPD.

Finally, in all cases, controllers will need to remain accountable in respect of their data processing activities – meaning being able to evidence/demonstrate their compliance with the data protection principles.

For clients looking at handling this issue across multiple countries, the position is not a uniform one. Even within the EU. Outside of the EU for some countries consent is the route you have to take to render the collection lawful, or it may be sufficient to provide notice. This reflects, not only differences in relevant data protection law itself, but also different interpretations and culturally embedded approaches to more limited collection of special category data by employers. So it will be important to check the position under local law, and keep alert for emerging guidance being issued.

Data protection shouldn’t innately be a block to protecting staff and others; it may though challenge some of the ideas raised on the approach to take and cause reflection on whether the right balance is being struck. So it is essential that, data protection considerations are taken into account as strategies emerge before they are implemented in this fast moving scenario.