The outbreak of the coronavirus and the sad news about so many people dying everyday is changing all our lives dramatically. As many of us as are trying to come to terms with the ‘new normal’ of staying home and working from home, the implications of all of this from a data protection and privacy perspective are not likely to be forefront of our minds. However, this is also a period in which we face some of the greatest erosions of our basic freedoms in terms of legal restrictions (Health Protection (Coronavirus, Restrictions) (England) Regulations 2020). As more and more people, particularly those with COVID 19 symptoms, the old and the most vulnerable members of society, are forced to self-isolate, local volunteer groups are springing up to support them.
As the BBC noted on 23rd March 2020, more than a thousand volunteer groups have been set up to help the most vulnerable members of their community.
Even though these groups are doing this with the very best of intentions they still need to comply with data protection laws, specifically the General Data Protection Regulation (GDPR). However, as the Information Commissioner’s blog on this subject makes clear, GDPR does not stop these groups from processing and sharing personal data to support people. The ICO has published some general guidance on its approach during this period. It states that it will not “penalise organisations that… need to prioritise other areas or adapt their usual approach during this extraordinary period”. This appears to suggest that the ICO will not take any regulatory action against a volunteer group that is processing personal data to help others during the current crisis.
In this blog we consider why the GDPR applies, and what basic practical steps volunteer groups should take to ensure they do not fall foul of the legislation.
Most volunteer groups will hold at least two lists of people; a list of those who need help (such as the elderly or people at risk) and a list of volunteers. It is likely that the names of people needing help will be shared with those offering help, but equally could be shared with emergency services if necessary.
The act of compiling lists of contact details and storing them on a PC or sharing them with group administrators falls squarely within the definition of ‘personal data’ and ‘processing’ in GDPR Article 4. This also means that the volunteer group becomes a Data Controller and must ensure that it complies with the GDPR. Volunteer groups cannot take advantage of the processing “in the course of a purely personal or household activity” exemption in Article 2(2)(c).
The personal data processed is likely to be limited to name, address and telephone number, but will almost certainly contain Special Category Data (defined in GDPR Article 9) if any health information is recorded. Volunteer groups will need to be careful ensure to they only collect relevant personal data, otherwise they will breach the ‘data minimisation principle’ in GDPR Article 5(1)(c).
The most fundamental requirement of GDPR is that the processing of personal is ‘lawful, fair and transparent’ (the first data protection principle in GDPR Article 5(1) (a)). Processing of personal data, even in these extraordinary times, is only lawful if the Data Controller has identified one of the lawful basis in Article 6. Consent is likely to be the most obvious lawful basis. However, people must know exactly what they are consenting to and they must understand why their personal data is being processed and who it might be shared with. Alternatively, the processing may be necessary for the legitimate interests of the Data Controller or other third parties (such as the people receiving help). Given the circumstances surrounding the compilation of local lists, and the difficulties in securing consent, this is likely to be the most flexible and useful lawful basis. However, it also requires groups to consider how the processing impacts the interests and fundamental freedoms of data subjects. In essence to consider the reasonable expectations of data subjects. So for example, a person who gives their name because they need help would not expect their name to be widely shared on social media. If a person’s health and safety is at risk, then the volunteer group may be able to rely on the ‘vital interests’ condition in Article 6 (1)(d).
Volunteer groups will inevitably collect some health data, which means that in addition to an Article 6 condition, they need to satisfy one of the lawful conditions in GDPR Article 9. The most obvious one, albeit limited, is if the processing (for instance, sharing) is necessary to protect a person’s “vital interests”, such as saving their life. However, this only applies where the data subject is physically incapable of giving consent. For example if a volunteer knows that an old person is not responding to their calls and is concerned that they may be very ill, then they could share this information with the emergency services or the GP. Other possibilities (aside from explicit consent) could include Art 9 (1) (i) “processing is necessary for reasons of public interest in the area of public health”. The ICO blog suggest that ‘safeguarding individuals’ is a possibility, but it isn’t clear what specific Article 9 condition they are referring to.
GDPR practitioners are likely to be very familiar with the transparency requirements in GDPR Articles 12-14. However small volunteer groups are unlikely to have a web site or the time and resources to draft detailed Privacy Notices. Although the ICO’s blog suggests that it is best that groups have a Privacy Notice (and even provides a link to a template) it also recognises that if this is going to delay vital support then groups can just speak to people. However it cautions that they need to be clear, honest and open about what they are doing with peoples’ personal data. Therefore groups may be well advised to produce a short statement when they collect personal data which provides a brief explanation about why they are collecting it and how they propose using it.
We all hope that this crisis will be over very soon, and we can get back to our normal lives. However some volunteer groups may be tempted to continue offering a neighbourly support service. Although this is to be applauded, it raises data protection issues and specifically compliance with the other data protection principles listed in GDPR Article 5. The personal data was collected for a specific purpose and should not be used after the crisis has ended, for other purposes unless those new purposes are compatible with the original purpose (the ‘purpose limitation principle’ in GDPR Article 5 (1) (b).
In any event, the personal data collected should not be used for longer than is necessary for the purposes for which it was originally processed (the ‘storage limitation principle’ in GDPR Article 5 (1) (e). This means that after the crisis people who have supplied their contact and even health details have a right to expect that their personal data will be safely destroyed. Personal Data must be also be accurate and up to date (the ‘accuracy principle’ in GDPR Article 5 (1) (d)). This is another reason for destroying the personal data once things get back to normal.
Even with limited resources, volunteer groups must take appropriate steps to protect the personal information against any unauthorised or unlawful processing and against accidental loss (the ‘integrity and confidentiality principle’ in GDPR Article 5 (1) (f)). Only a small number of people have access to the data and it should be securely stored. This is particularly important given the fact that a lot of the data will concern vulnerable people.
Nobody is suggesting that volunteer groups become GDPR expert’s over-night, but they still need to ensure basic compliance with the GDPR obligations. The ICO has published guidance on its website and a useful set of Q&A’s.
More on this and other developments in our GDPR webinars. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.