News & Events


What you need to know about data protection during the coronavirus pandemic

As a result of the coronavirus (COVID-19) pandemic, many of us are working remotely and are facing unprecedented challenges. One major concern (health, symptoms and panic-buying aside) is that of protecting data when staff are working remotely.

The ICO (Information Commissioner’s Office) has given guidance on how businesses should proceed for the time being, based on the concept of being proportionate with safety measures.

Below, we summarise the guidance the ICO on how to ensure your organisation’s data is protected.


Q: Will I be penalised if my data protection practices are not as thorough, or my response to information rights requests is delayed?

A: No, you will not be penalised. The ICO has confirmed businesses will not be fined during this time if their protection practices are not as thorough as they are normally. Although statutory timescales cannot be extended, communications will be made to people explaining that delays are likely throughout the pandemic. This is not a carte blanche for ignoring the GDPR, but comfort that trying to do the right thing won’t result in financial penalties.


Q: Can healthcare organisations contact individuals without their prior consent?

A: The Government, the NHS and health professionals will not be prevented from contacting individuals either by phone, text or email because they are sending public health messages, not direct marketing messages.


Q: What security measures are necessary to have in place now that more staff are working from home?

A: To keep staff safe during the pandemic some, or all, of your staff may work from home. If this is the case, you should implement the same security measures you would normally use for remote workers in any other circumstance.


Q: Am I allowed to tell staff that one of their colleagues may have contracted coronavirus?

A: Put simply, yes. You have a duty of care to your employees and a responsibility to protect their health and safety so you should keep staff updated about any potential cases that have been identified in your business but remember to not actually name the individual or share any unnecessary sensitive information.


Q: For public health purposes, should I share my employees’ health information with the authorities?

A: Again, put simply, yes. Although unlikely, data protection law will not prevent you from sharing an individual’s information with the authorities for health purposes.


Q: Can I collect health data about my employees, or visitors to my business, if it’s in relation to COVID-19?

A: This question is a little more difficult. First and foremost, you have a responsibility to your staff to protect their health and safety, and you shouldn’t gather unnecessary information about them.

You can ask staff to share information about whether or not they’ve visited certain countries, and whether they have any symptoms of COVID-19. Recommend staff call 111 if they are concerned.

If you do not feel the information you have collected is sufficient, only ask for further information that is necessary, and remember to apply the appropriate safeguards to the collected data.

With regards to visitors to your organisation, recommend they follow government advice before they arrive at your business.

For the ICO’s full guidance, please visit their website by following this link.


These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.