The ICO has announced that it will take a flexible approach towards enforcement in light of the COVID-19 outbreak. Information Commissioner's Office (UK) reports as follows:
We all share the same concerns about the spread of the COVID-19 virus. The need for public bodies and health practitioners to be able to communicate directly with people when dealing with this type of health emergency has never been greater.
Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.
(Privacy press clipping sourced via Information Commissioner's Office (UK))
Jurisdiction: United Kingdom
The announcement appears intended to provide a degree of comfort to public bodies and medical operators in processing health information related to the COVID-19 outbreak. The ICO is keen to frame data protection laws as not being an impediment to the necessary communications and actions that these government and medical bodies may contemplate.
The ICO clarifies that communications on health matters by government and medical practices are not “direct marketing”, which is heavily restricted under the data privacy laws in place in the UK. The announcement doesn’t speak to the other situations in which commercial businesses and (particularly) employers may wish to process personal data in the context of the outbreak.
The ICO also points to the concept of “public interest”, which is a lawful ground for processing of personal data under Article 6 of the GDPR. Article 6(1)(e) provides that processing is lawful where “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. This ground could apply to private companies, for example, provided there is a sufficient “public interest”. It is clear that the drafters of the GDPR did intend the ground to apply to controllers having governmental functions or official authority.