This week has brought unprecedented disruption to the legal system, and the whole economy. The Panopticon team, and all of us at 11KBW, are working hard to ensure that we can continue to provide you with the level of service that you have come to expect. Meanwhile, here are some initial responses to the Coronavirus pandemic from an information law perspective.
The ICO has published a short statement on its website. The key points are these.
- The ICO can’t extend the statutory timescales for data protection compliance (e.g. in relation to answering subject access requests). But the ICO understands that staff, and expenditure, may currently be diverted from usual compliance work, and it won’t penalise organisations that need to adapt their approach during this extraordinary period.
- The Government, the NHS, and health professionals, can send public health messages using all forms of technology (including phone, text, or email). These are not marketing messages.
- Additional collection and sharing of personal data by public bodies may be required to protect against serious threats to public health.
- Data protection law is not a barrier to home-working, but information security considerations should be borne in mind.
- Employees should be kept informed about COVID-19 cases in their organisation, though employers shouldn’t provide more information about individuals than is necessary.
- Where employers collect health data, they shouldn’t collect more data than they need, and they should that they implement appropriate safeguards.
- Where it is necessary for employers to share information with public authorities about specific employees, for public health purposes, then data protection law will not prevent this.
Put shortly, the message is that the ICO will adopt a common sense approach to data protection, bearing in mind the extraordinary circumstances in which we are all operating.
On 19th March 2020 the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the context of the COVID-19 outbreak. There are a number of points of interest, particularly in relation to the possible use of mobile phone location data.
The EDPB’s starting-point is that:
The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way.
At the same time:
[E]ven in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.
The EDPB emphasises that there is a wide range of potential bases for processing personal data (including health data) in the context of an epidemic, without relying on consent. For instance, GDPR Article 9 allows the processing of special category data on the basis of Union or Member State law where it is necessary for reasons of substantial public interest in the area of public health (Article 9(2)(i)), or to protect the vital interests of data subject (Article 9(2)(c)). Recital 46 specifically refers to the processing of personal data in the context of epidemics.
As to telecom data, the EDPB emphasises that national laws implementing the ePrivacy Directive must be respected. In principle, location data can only be used by the operator when made anonymous or with the consent of individuals. However, Article 15 of the ePrivacy Directive enables Member States to introduce exceptional legislation to safeguard public security. If measures are put in place for the processing of non-anonymised location data, then there must be adequate safeguards, including the right to a judicial remedy. The least intrusive solutions should always be preferred. Invasive measures, such as the use of non-anonymised location data to track specific individuals, could however be considered proportionate under exceptional circumstances.
The EDPB’s comments are of great interest, given that there are already a number of indications that phone location data could be deployed as part of measures to tackle COVID-19.
For instance, on 16th March 2020 the Imperial College COVID-19 Response Team published a paper entitled: Impact of non-pharmaceutical interventions (NPIs) to reduce COVID-19 mortality and healthcare demand. The paper has been widely read, because of media reports that it has been influential in prompting the Government to adopt a strategy of suppression rather than mitigation. The following passage (at page 15 of the paper) is of particular interest:
The measures used to achieve suppression might also evolve over time. As case numbers fall, it becomes more feasible to adopt intensive testing, contact tracing and quarantine measures akin to the strategies being employed in South Korea today. Technology – such as mobile phone apps that track an individual’s interactions with other people in society – might allow such a policy to be more effective and scalable if the associated privacy concerns can be overcome.
An article in the Guardian on 19th March 2020 reports that BT (owner of mobile operator EE) is in talks with the Government about using phone location and usage data to monitor whether corononavirus limitation methods are working. On the same day, Sky News reported that the government was working with O2 to analyse anonymous location data, in order to assess compliance with guidelines about social distancing.
The recent Coronavirus Bill includes a number of provisions that will be of particular interest to information lawyers. We are working on a separate post about these.
For an overview of how coronavirus is affecting the other areas of law in which 11KBW operates, see here.