Data-protection regime relaxed for coronavirus response as ICO pledges no GDPR action

Written by Sam Trendall on 18 March 2020 in News
News

NHS and government bodies will not be constrained, regulator and health secretary indicate

Credit: Pxhere

Public sector organisations responding to coronavirus will not face regulatory action under data-protection laws, the Information Commissioner’s Office has said.

Over the last few days, the regulator has issued updates and guidance indicating its commitment to take a “pragmatic” approach to its duties during the ongoing crisis. This, it said, means taking into account the “compelling public interest” in allowing NHS and government to respond to the pandemic with a speed and flexibility that may be at odds with carrying out data-protection measures with the usual stringency.

Consequently, the watchdog has said that it will not be taking any regulatory action against agencies responding to the coronavirus.


Related content


"We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work,” the ICO said. “We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.”

It added: “We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”

This message was reiterated by health secretary Matt Hancock, who tweeted to say that responding to coronavirus should take precedence over the requirements set out in the General Data Protection Regulation. 

“GDPR does not inhibit use of data for coronavirus response,” he said. “GDPR has a clause excepting work in the overwhelming public interest. No one should constrain work on responding to coronavirus due to data protection laws. We are all having to give up some of our liberties; rights under GDPR have always been balanced against other public interests.”

Elsewhere in its guidance, the ICO said that regulation did not prevent public sector bodies sending unsolicited “public health messages”, nor is it prohibitive to using remote consultations and homeworking measures where necessary.

“Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health,” it added.

Regulation also need not be considered a barrier to providing updates to staff on internal cases of infection and, if required, sharing employee health information with the relevant authorities.

 

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

Related Sponsored Articles

Stopping Cyber Attacks in Higher Education
19 April 2021

Higher Education institutions are some of the most consistently targeted organisations for cyberattacks. CrowdStrike explores the importance of the right cybersecurity measures. 

Avoid Infrastructure Paralysis: Six benefits of moving legacy Oracle workloads to the cloud
6 April 2021

There are many reasons to keep your Oracle workloads running on local servers. But there are even more reasons to move them to the cloud as part of a wider digital transition strategy. Six Degrees...

Human Centric Process Management: The common base for digital transformation, cost savings, compliance and agility
11 March 2021

Engage Process explains how to ensure that process remains at the heart of your management programs - and how to keep undue pressure from those processes 

The Role of Technology and Real-time Data in Managing Concurrent Emergencies
11 March 2021

With the backdrop of the COVID-19 pandemic, every disaster now entails responding to at least two emergencies. Dataminr explains how organisations can best prepare.