The UK Information Commissioner’s Office (“ICO”) has published guidance regarding its expectations for controllers and health professionals during the COVID-19 outbreak.
In its guidance for controllers, the ICO adopted a pragmatic stance, stating: “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.”
“We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.”
The ICO also recognized that employees are more likely to be working from home, and confirmed that personal devices and communications equipment could be used, but that the standard security measures for teleworking should be in place.
The ICO also clarified, in both its guidance for controllers and its guidance for health and care practitioners, that public health messages will not be restricted by the Privacy and Electronic Communications Regulations (“PECR”) in the UK as they will not constitute direct marketing. The Government, the National Health Service and any other health professionals are free to send such messages.
Health services are also permitted to use the “latest technology” for the purposes of consultations and diagnosis, and the ICO acknowledges that the circumstances are likely to require additional collection and sharing of personal data in order to protect public health. The ICO emphasized that it will “take into account the compelling public interest in the current health emergency.”
The ICO also noted that individuals are likely to see some delay in responses from public authorities in relation to Freedom of Information requests, due to the diversion of resources to other priorities during the outbreak.