As the Government’s strategy to delay the spread of COVID-19 continues to unfurl, we share a few of the answers to the questions the ICO are being asked on data protection issues which will be of interest to healthcare data controllers.
In its statement, the ICO recognises the “unprecedented challenges” facing organisations during the COVID-19 pandemic and confirms its “measured approach” in these difficult times.
What if our data protection practices don’t meet our usual standard and our response times to information rights requests will be longer. Will the ICO take regulatory action?
The short answer is no. The ICO understand that we are facing an unprecedented situation, and therefore staff and resources, might be diverted away from usual information governance work. It says that it “won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach”.
But while the ICO can’t extend the statutory timescales, it will tell people that they may experience “understandable delays when making information rights requests during the pandemic.”
Can healthcare organisations contact individuals in relation to COVID-19 without having prior consent?
Yes, in short. Data protection laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing – nor does it stop them using technology to facilitate safe and quick consultations and diagnoses.
It says that: “Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.” The ICO will take into account the “compelling public interest in the current health emergency.”
COVID-19, data security and the shift to homeworking?
Maintaining your data security when working with remote teams is of paramount importance. Making sure your teams remain protected is essential to the overall security of your health and care organisation. Home working is not something that GDPR prevents, but it does require us to look at data security from a slightly unusual perspective.
Staff will need to log into a secure system be it a laptop or computer, which should be accessible via a two-factor authentication system. If you already have 2-FA in place, your staff may need instructions on how to download the relevant Apps, as well as instructions on how to navigate to the log-on screen. Staff should not access confidential systems in public places, and should make clear to others in the household that they are not to attempt to look at the information. Staff should also be careful about any hard copy notes they make – preferably they will work entirely electronically – as these will also need to be secured.
But what about Apps. Can you use Apps like Instagram and Facebook while working from home? In short - no. They are not secure, even if profiles are locked down, and we do not consider it appropriate to share special category information about patients on them, even in private groups.
However there are some Apps that could be used if both your IT department and your information governance teams are happy with their use. For example, WhatsApp, Viber, telegram and Line all have end to end encryption. You will need to assess your options and decide which (if any) you are comfortable to use.
Do get in touch with Stuart Knowles, Jill Weston or Claire Williams if you would like to discuss how to mitigate those risks of a data breach when staff work from home.
Below are a collection of resources from the ICO offering practical guidance to support health and care organisations.
Statement for health and care practitioners.
COVID-19: general data protection advice for data controllers.
FOI and the coronavirus.
Coronavirus legal advice
Looking for Coronavirus legal advice all in one place? Visit our hub for answers on employment issues, business continuity, protecting your supply chain and more. Updated daily.