ICO Guidance – COVID-19
Like other regulators, the ICO has issued guidance to reassure healthcare bodies and professionals that information governance issues should not be a barrier to effective information sharing to manage the response to the COVID-19 virus. Outside the mandatory sharing now that COVID-19 has been made a notifiable disease, there will be a need to share information as part of a co-ordinated response. Data protection is often (unjustly) accused of being a barrier to necessary information sharing, but the guidance is a timely reminder that the GDPR is a framework that does not prevent necessary information sharing, and what is necessary and proportionate is context-sensitive: more information may need to be collected and shared in present circumstances than would otherwise have been needed. Likewise, when considering information sharing decisions through the lens of the Caldicott principles and common law confidentiality, the need to protect others from the risk of serious harm will always need to be considered.
The guidance also indicates that the ICO will adopt a realistic approach to compliance with the various statutory deadlines that apply under the information access regimes. The deadlines still apply (they can only be changed through legislation) but when dealing with applicants, and presumably when considering enforcement action, the ICO will be mindful of the fact that healthcare providers will have other calls on their finite resources.
NHSX has also issued its own guidance which complements that of the ICO, emphasising that with changing patterns of working alternative means of communication may be needed, and information governance concerns should not be a barrier to necessary information sharing or the use of alternative methods of communication, such as video conferencing and instant messaging.
While this pragmatic guidance is to be welcomed, it does not meant that ordinary information governance measures should be disregarded. The normal safeguards for protecting data will still need to be observed, even if these are applied in a new context, and the ICO’s pragmatic stance does not mean compliance can be ignored, especially in cases where in fact the steps needed are unaffected by the pressures on the organisation.