UK: Data protection and covid-19


published on 7 May 2020 | reading time approx. 3 minutes


​Following the outbreak of covid-19 and its development into a global pandemic, many businesses have had to resort to taking exceptional measures to ensure that their employees, customers and business is protected against the threat of coronavirus and to ensure that as far as possible, it is “business as usual”. We anticipate that there are a few issues for organisations to take into consideration in these unprecedented time from the perspective of the data protection regime.




Information collected from individuals relating to covid-19

In order to manage the impact of the outbreak and to limit exposure, organisations may be collecting information from employees that are exceptional and unusual. This may include “contact lists,” a list of symptoms, if any, information about vulnerable members in the family home, and information on self-isolation.  This is likely to be “personal data” and “special categories of personal data” (“SCD”) under the General Data Protection Regulations (“GDPR”) and is subject to strict obligations in terms of compliance.


The Information Commissioner’s Office (“ICO”), the UK’s data protection watchdog, has confirmed that it will not bring regulatory action against organisations worried about reduced standards of data protection practices and longer response times to information rights requests. The ICO will use their own communication channels to inform people about potential delays when making information rights requests during the pandemic.

Disclosing the identity of an infected worker to other workers

Informing employees (or others) about the identity of any specific employee who is confirmed to have covid-19 would involve disclosing SCD, and so has the potential to both be unlawful from a data privacy point of view and potentially from an employment law perspective (since it may carry stigma, embarrassment, etc.) It will generally not be necessary to disclose an individual’s identity, even while implementing measures prevent spread of the virus, including to high-risk individuals. Businesses must perform a balancing act to protect both the identity of the infected individual’s identity and other employees in the organisation. An impact assessment may be necessary to record how each organisation will approach the issue of the identity of infected persons.  This is also consistent with ICO guidance.


Retention period for data collected during the pandemic

It is important to note that collecting data to help stem the spread of covid-19 may be in the broader public interest, but it does not evaporate privacy and data security concerns. Data protection authorities across the EU have generally agreed that it is permissible to ask employees whether they’ve been infected, whether they’ve recently visited high-risk areas or whether they’ve been in contact with or exposed to people infected with the virus. However, organisations must also consider how long to store the data they collect, who has access to that data and how long it will be retained. 


It is unclear when the outbreak will truly start to resolve, but once it does, businesses must have an action plan for what they intend to do with the data they have collected. The general practice is to properly dispose of data when it is no longer required. Indeed, the GDPR encourages organisations to delete data when no longer needed, and data deletion is also one of the individual rights under the law.


Security measures for staff who are working from home (“WFH”)

The ICO has advised that the data protection regime is not to be a barrier to different types of homeworking.  With many organisations encouraging and now mandating individuals to work remotely, it is now a good time for reviewing and updating remote working policies, and to remind employees of the requirements of these policies. In general, data protection law does not prevent the use of employees’ personal devices or communication equipment for seamless WFH but organisations will need to consider the same kinds of security measures for WFH that would be used in normal circumstances. 



It is advisable that all individuals are shutting down their devices properly daily, to ensure the necessary firewalls are in place, to protect the data being used on each employees device whilst working remotely.
The European Data Protection Board (“EDPB”) has stressed that data protection laws in the EU do not, and should not, hinder the response to the covid-19 pandemic, but has also issued a reminder to all organisations subject to the GDPR regime that they must remain compliant with all their obligations under the GDPR and associated legislation. In the UK, the ICO appears to be sympathetic to the fact that many organisations will have their resources diverted away from data protection compliance. This is a welcome concession from the ICO, but the scope of this flexibility must be construed narrowly. Organisations should continue to monitor guidance issued by the EDPB, as well as the guidance of national data protection regulators, like the ICO in the UK.
Deutschland Weltweit Search Menu