Following the outbreak of COVID-19 and its development into a global pandemic, Alison O’Connell speaks to regulators and data protection experts to find out exactly what companies need to know about managing access to data requests and ensuring their organisations are implementing the right measures to meet GDPR requirements.
With the spread of coronavirus across the globe, organisations have been implementing exceptional measures to ensure business continuity and safeguard employees and customers against the health threat that is being posed.
As a result of the crisis, businesses are facing a number of challenges from a data protection and compliance perspective, from ensuring measures are in place to protect data handled by employees working from home and establishing cyber-defence strategies, to managing data subject requests and government requests for information while balancing regulatory requirements.
While the European Data Protection Board (EDPB), which is responsible for ensuring the consistent application of the GDPR in the EU and cooperation between all data protection authorities (DPAs), has not yet issued guidance on how companies should be managing their GDPR obligations during this time, businesses should be looking to their national DPAs for advice, many of which have already issued guidance.
Managing data subject requests
The UK Information Commissioners Office (ICO) and the Irish Data Protection Commission (DPC) have issued guidance for companies regarding data subject access requests (DSARs). Both authorities have indicated that they understand that resources, whether finances or people, might be diverted away from usual compliance or information governance work, stating that they will not be penalising organisations that prioritise other areas or adapt their usual approach to manage operations during the COVID-19 crisis.
While authorities cannot extend statutory timescales for responding to requests from individuals since they are set down in law by the GDPR, they recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19. Companies are being advised to tell people through their own communications channels that they may experience understandable delays when making information rights requests during the pandemic.
While authorities have signalled in general terms, that they will not be looking to take action against controllers that have failed to deal with data subject rights requests within the normal required timelines as a result of covid issues, organisations cannot just switch off and ignore data requests according to Grant Campbell, partner at Brodies LLP. “We would expect organisations to be able to demonstrate to authorities that they still act responsibly and are trying to respond to requests properly and as expeditiously as possible…So, for example, if a controller's office is closed and mail is not being picked up, consider making that clear to individuals and encourage them to communicate electronically – perhaps by putting a notice on the website,” he says.
Will authorities be more lenient given the circumstances?
The GDPR does provide for an extension of two months to respond to a request where necessary, taking into account the complexity and number of requests and guidelines issued by the Irish DPC state that: “Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding… Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage.”
As recommended by the DPC, companies should consider whether they can respond to requests in stages and communicate clearly with individuals and maintain records of actions they are taking. “Companies should also make sure they document the reasons for not complying with the timelines since they should be able to demonstrate compliance under the GDPR accountability principle (article 5(2) GDPR). Such reasons should also be communicated to individuals,” says Itsiq Benizri, senior associate at WilmerHale.
If an organisation thinks that it will not be able to respond in time, it could contact the relevant authorities to explain the circumstances and the measures that it is taking to try to respond, according to Felicity Burling of HFW. “If the organisation is genuinely trying its best, the ICO seems likely to take a lenient approach. The responses of regulators in other jurisdictions may vary, but organisations should be proactive,” she says. “Respond promptly to requests from individuals, even if only to say that they have been received and will be dealt with as soon as possible in the circumstances. It is important to keep individuals and regulators up to date where necessary and to be transparent and fair at all times.”
While DPAs are likely to be lenient towards companies that are struggling to respond to DSARs during the pandemic, companies should not expect any significant change with respect to ongoing investigations or enforcement actions. “Like most public entities, the data protection authorities are still hard at work, even if they are working remotely,” says Sue Foster, of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo LLP. “If a company cannot respond to an audit or investigation by a data protection authority in a timely manner due to the pandemic, it should inform the data protection authority and ask for an extension rather than simply not responding at all,” she adds.
Rules on sharing data with governments
As confirmed by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), companies can share anonymous data with governments to fight the spread of the pandemic, since anonymous data falls outside of EU data protection laws.
Companies should take note that anonymisation can be a very demanding process as the threshold to qualify data as anonymous in the EU is very high, according to Anne Vallery, special counsel at WilmerHale in Brussels, who says “it may require more than just removing phone and device identification numbers. The EDPS also confirmed the DPAs’ view that aggregating data could provide an additional safeguard.”
The processing of telecommunications data, such as location data, is subject to the ePrivacy Directive. Location data can be used only when made anonymous or with the individual’s consent, but Vallery points out that the ePrivacy Directive enables EU countries to introduce legislative measures to safeguard public security. “Such exceptional legislation is possible only if it introduces necessary, appropriate and proportionate measures limited to the duration of the emergency. Companies therefore need to check national requirements,” she says.
Although health data is subject to stricter requirements, consent is not always necessary. According to the EDPB, companies may process employees’ health data for reasons of substantial public interest in the area of public health or to protect an individual’s vital interest. “Where a company is acting on the directions of public health authorities to share data it is likely that article 6(1)(c), article 9(2)(i) GDPR and section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, as necessary for compliance with a legal obligation to which the company is subject. It would be open to the company to ask the authority in question to identify the particular piece of legislation, which requires the sharing of data,” says Graham Doyle, deputy commissioner at the Irish DPC. “For example, under the Irish Infectious Diseases Regulations, 1981, a medical officer of health may request information relating to a case or suspected case of an infectious disease in order to take steps to prevent its spread,” he says.
It is also permissible to process personal data to protect the vital interests of an individual data subject or other persons where necessary, according to Doyle. “A person’s health data may be processed in this regard where they are physically or legally incapable of giving their consent. This will typically apply only in emergency situations, where no other legal basis can be identified,” he says.
Similarly, the ICO has said in guidance that employers can share employees’ health information to authorities for public health purposes and although it is unlikely that an employer will have to share information with authorities about specific individuals, if it is necessary then data protection law won’t stop them from doing so. “Advice in this area is inevitably context and circumstance specific. Our advice is that organisations that organisations need to act responsibly, proportionately and transparently. Don't be afraid to ask questions and make enquiries if you are uncertain as to whether to provide information,” says Campbell.
When sharing COVID-19 data with governments, organisations must have the appropriate lawful grounds and follow GDPR principles and bear the following in mind:
Fairness and lawfulness - As well as identifying the appropriate legal basis for processing personal data, companies must ensure that they adhere to the principles of data protection. “It is also important that organisations keep full records, including actions taken, the lawful grounds used to justify them, and the efforts made to be transparent with the individuals concerned,” says Burling.
Transparency - GDPR obligations will require that employees be informed in a transparent manner about any sharing of their data with the public health authorities. “Data sharing should be transparent: unless prevented from doing so by law, organisations should inform individuals about the data sharing, before it occurs if possible,” says Burling. Collection and sharing of personal data in the circumstances should be kept to a strictly “need to know” basis according to Burling. “The more personal data that organisations collect, the higher the risk from a data protection and privacy perspective,” she says.
Minimisation is also key and generally speaking, companies should make sure they do not process more data than necessary and only process it for specified and explicit purposes, says Campbell. “In particular, the principle of data minimisation, which means that only data that is strictly necessary for the purpose outlined by the health authorities should be shared with them.” Data protection law will not stop organisations from sharing information with authorities about specific individuals if it is necessary to do so, “however, if aggregated or anonymised data would be sufficient then organisations should avoid revealing individuals' identities,” Burling adds.
Finally, companies that receive a request from a government entity for personal data about residents of the country in question should feel confident in responding without second-guessing the government. “It is rather unlikely that government entities will seek personal data, as opposed to aggregate data, from employers, but it seems to be increasingly likely that governments entities will seek location data from mobile phone and other network providers,” says Foster. In any case, Foster points out that under the EU treaties, individual EU member states have broad authority over their own national security and health and public welfare laws. The GDPR itself recognises these national rights. “It is extremely unlikely that any EU data protection authority would sanction a private organisation for responding to a request for personal data from a bona fide government entity in the relevant country, so organisations are entitled to assume that their own government entities are acting lawfully,” she says.
Lexology PRO Compliance is including articles relating to covid-19 in the main Lexology newsfeed in order to provide in-house counsel users with practical information and first-hand experiences on how to navigate the current market.
Explore Lexology PRO Compliance
Lexology Pro Compliance, a unique information platform for chief compliance officers, general counsel and their teams. With a focus on anticorruption, antitrust and data protection -three core compliance areas for businesses around the world, Lexology PRO Compliance provides users with analysis, interviews, legal research, know-how materials, global comparative tools and more.
Find out more by clicking here.