ICO, EDPB issue guidance on data protection and the Covid-19 coronavirus pandemic

‘Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing,’ the ICO says. ‘Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), announced today: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

The GDPR provides for a legal ground to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject, the EDPB declares. This applies for instance when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation.

With regard to the processing of electronic communication data, such as mobile location data, the national laws implementing the e-Privacy Directive apply. Location data can be used by the operator only when it is made anonymous, or with the consent of the individuals. Public authorities should aim to process location data in an anonymous way.