The Coronavirus (COVID-19 or SARS-CoV-2) pandemic has resulted in unprecedented challenges worldwide. Amongst these, businesses are finding it difficult to reconcile the need to share information quickly and effectively with their obligations under relevant data protection legislation.
ISOLAS LLP Partner, James Montado, and Associate, Michael Adamberry, who amongst a wide range of practice areas specialise in Privacy & Data Protection, and Banking & Regulatory Services, comment on some of the key considerations for businesses during these challenging times.
A perfect storm
As the rate of the spread of COVID-19 increases exponentially, Europe now finds itself at the epicentre of the pandemic. Governments are looking to ensure business continuity, whilst having to engage emergency lockdown protocols for their citizens. Last week, ISOLAS commented on how Majesty’s Government of Gibraltar (HMGoG) had implemented a set of immediate economic measures to allow Gibraltar’s economy to weather the storm ahead, with further measures announced by the Chief Minister this week.
Some businesses, practically overnight, have had to adjust to the emergency legislation, which although focused around preventing long-term damage to the Gibraltar economy, has led to some businesses having to temporarily suspend business altogether, whilst others resort to remote working, or working telematically (i.e. merging telecommunications and infomatics, resulting in telematics).
No Data Protection considerations left behind
As businesses adapt to the new normal, new challenges arise for those that are not accustomed to remote working; from sourcing suitable equipment to staff training, to employment and HR issues. Some may be tempted to shift the priority of ensuring adequate data protection downward on the list of business concerns as they focus on how to keep their business afloat in the midst of the rapidly developing socio-economic crisis.
As financial and human resources are diverted away from regulatory compliance and information governance work, this creates an inevitable risk of potential regulatory action. However, provided that organisations can reasonably justify the need to prioritise other areas, and that they do not completely forget about Privacy & Data Protection, various regulators, such as the Gibraltar Regulatory Authority (GRA) have signified that a more lenient approach will be taken, penalising only those that have a flagrant disregard for their legal and regulatory obligations, or those who take no steps at all to at least try and address these.
Some key questions and answers
The Gibraltar Regulatory Authority (GRA) has released guidance on what businesses need to know. The UK’s Information Commissioner’s Office (ICO), which is respected as one of the leading supervisory authorities worldwide has also commented on the recent outbreak in its newsletter. Some of the key points raised are as follows:
Other employer considerations:
Given an employer’s duty of care towards other employees, and to ensure the occupational safety and health of their employees, this “employment, social security and social protection” justification (GDPR Art.9(2)(b)) could provide sufficient justification in many of the above cases. The next weeks and months will also likely see an increase in the reliance of “vital interests” (GDPR Art.6(1)(d)) as a lawful basis, together with other justifications such as “preventative and occupational medicine” (GDPR Art. 9(2)(h)) and “public health” (GDPR Art.9(2)(i)).
James Montado said: “As signalled by both the GRA and ICO, the top line here is a recognition of the importance of allowing information to flow rapidly and to slow down the spread of this virus. Data protection laws should not stop businesses from doing that, and are designed not to hinder information flow, but to ensure that valid justifications are considered. Common sense should always prevail, and there may be legitimate and proportionate aims pursued by data controllers that outweigh the fundamental rights and freedoms of natural persons- but let’s take some time to think about what those are and how we can document these assessments.”
If you would like any further information on your Privacy & Data Protection obligations, or would like ISOLAS to conduct an independent audit of your policies and procedures.
Please contact James Montado on james.montado@isolas.gi or Michael Adamberry on michael.adamberry@isolas.gi.