COVID-19: regulatory update

The European Data Protection Board – the EDPB has produced Guidelines on the processing of health data in the context of COVID-19, by governments and health authorities. It focuses on scientific uses of data. The EDPB’s headline statement is that data protection rules, including the GDPR, “do not hinder measures taken in the fight against the COVID-19 pandemic” because “the GDPR is a broad piece of legislation and provides for several provisions that allow” organisations “to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection”. 

The ICO has issued guidance addressing its regulatory approach “during the coronavirus public health emergency”. The ICO says it will, and must, “act in a manner which takes into account these circumstances” which includes its use of enforcement powers. The ICO recalls that the law gives it flexibility around how it carries out its regulatory role, for example as to considering whether an organisation has implemented “appropriate and proportionate safeguards”. The ICO will take into account, when considering enforcement, the impact of the potential economic or resource burden which its actions will have on organisations, and focus “efforts on the most serious challenges and greatest threats to the public”.

Aaron Moss