The data protection DOs and DON’Ts during the COVID-19 crisis

You’ve no doubt come across dozens of articles advising you on how to cope during the COVID-19 crisis. However, it’s not only the physical and mental wellbeing of your staff that you need to look after but also your organisation’s ability to prevent security incidents.

With employees working from home and no longer subject to the security protections that the office provides, it can be hard to maintain good habits – particularly as amongst the uncertainty that the pandemic brings to everybody’s home and work lives.

This blog aims to keep everybody on the same page, providing useful tips on what to do – and more importantly, what not to do – to ensure your organisation remains safe and secure.


  • Under the GDPR (General Data Protection Regulation), organisations must have a lawful basis for processing personal data – this includes processing personal data to contain the spread of COVID-19. In this context, the following lawful bases may apply:
    • Article 9 (2) i) (“processing is necessary for reasons of public interest in the area of public health”), including health data, if organisations are acting on the guidance of authorities and once suitable safeguards are implemented (e.g. limitation on access to the data, strict time limits for erasure, adequate training of the employees involved in the processing).
    • Articles 6 (1) c) (employer’s obligation to protect its employees under the Safety, Health and Welfare at Work Act 2005, as amended) and 9 (2) b) of the GDPR provide a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so.
    • Article 6 (1) d) of the GDPR (processing carried out to protect the vital interests of an individual or other persons), where necessary. A person’s health data may be processed where they are physically or legally incapable of giving their consent, but only in emergency situations, where no other legal basis can be identified.
  • Any data processing for the purposes of preventing the spread of COVID-19 must be carried out in a manner that ensures the security of the data.
  • Organisations must provide individuals with information about the processing of their personal data.
  • Organisations should document any decision-making process regarding measures implemented to manage COVID-19 that involve the processing of personal data.
  • Recording of any health information must be justified and limited to what is necessary for an employer to implement health and safety measures. Therefore, only the minimum necessary amount of personal data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
  • Employers are required by law to protect the health of their employees as well as to provide a safe place of work. During the COVID-19 situation, it would be considered acceptable for employers to ask employees and visitors to inform them if they have visited an affected area and/or are experiencing any COVID-19 symptoms.
  • Public health authorities may require the disclosure of personal data in the public interest to protect against serious public health threats. Employers should follow the advice and directions of their public health authorities.


  • The identity of affected individuals must not be disclosed to their colleagues or any third parties without a clear justification.
  • Employers may inform personnel that there has been a case, or suspected case, of COVID-19 in the organisation, but they must not disclose the employee’s identity. However, public health authorities may require disclosure of this information in order to carry out their functions with regard to providing medical treatment and contact tracing.

Want more GDPR advice?

As the COVID-19 crisis wages on, GDPR compliance is more important than ever. Cyber attackers are already trying to profit from the disruption and uncertainty, and it can hard for you and your team – isolated in their homes – to navigate these risks.

Fortunately, we have everything you need to cope with these disruptions. Most of our products and services are available remotely, so you can address your cyber security worries without jeopardising your physical security.

Those who want guidance on how to manage their data protection requirements in this time should take a look at our Certified GDPR Foundation Distance Learning Training Course.

This one-day course provides a comprehensive introduction to the Regulation, explaining how it works and the steps you can take to comply.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.