ICO guidance during COVID-19
Like other regulators, the ICO has issued guidance to reassure healthcare bodies and professionals that information governance issues should not be a barrier to effective information sharing to manage the response to the COVID-19 virus.
Outside the mandatory sharing now that COVID-19 has been made a notifiable disease, there will be a need to share information as part of a co-ordinated response. Data protection is often (unjustly) accused of being a barrier to necessary information sharing, but the guidance is a timely reminder that the GDPR is a framework that does not prevent necessary information sharing, and what is necessary and proportionate is context-sensitive: more information may need to be collected and shared in present circumstances than would otherwise have been needed. Likewise, when considering information sharing decisions through the lens of the Caldicott principles and common law confidentiality, the need to protect others from the risk of serious harm will always need to be considered.
The guidance also indicates that the ICO will adopt a realistic approach to compliance with the various statutory deadlines that apply under the information access regimes. The deadlines still apply (they can only be changed through legislation) but when dealing with
applicants, and presumably when considering enforcement action, the ICO will be mindful of the fact that healthcare providers will have other calls on their finite resources.
NHSX has also issued its own guidance which complements that of the ICO, emphasising that with changing patterns of working alternative means of communication may be needed, and information governance concerns should not be a barrier to necessary
information sharing or the use of alternative methods of communication, such as video conferencing and instant messaging.