Information Commissioner's Office
Blog: Community groups and COVID-19: what you need to know about data protection
Blog posted by: Ian Hulme, Director for Regulatory Assurance at the ICO, 30 March 2020.
As COVID-19 continues to sweep across the UK, more and more people are driven to help the most vulnerable in our communities. Church groups, neighbourhood and residents associations are being set up to support the work of existing community groups, services and charities.
Often, these groups need to handle sensitive personal information and share it with others. And that means taking account of data protection law.
If you’ve just formed a community group, this may be the first time you’ve had to think about data protection. Put simply, the law is a set of sensible standards that will help you handle people’s information responsibly. That means taking proper care of things like people’s names and addresses as well as more sensitive details about their health or religion.
Crucially, data protection rules will not stop you from helping those in need.
This blog is intended to clarify some of the basics of data protection, and to give established community groups, services and charities clarity on how to apply the law in this extraordinary time.
We’ve also published Q and As for organisations that might help you. If you still need help, we’re here to answer your questions. Ring us on 0303 123 1113.
Keep it clear
You should be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it, what you’ll do with it and who you’re going to share it with.
It’s best to have this written down in a document called a privacy notice – here’s a template you can use. But if that’s going to delay vital support, then you can just speak to people.
In an emergency, working with partners and sharing information with them can make a real difference to public safety. In fact, it could be more harmful not to share the data than to share it.
For example, you might need to tell a local council about elderly residents who are housebound due to self-isolation and who need support.
If you can, think ahead. What kind of information are you likely to share? What do you need to do to make sure that happens securely?
Data protection law does not prevent you sharing personal information where it is appropriate to do so.
Keep it lawful
If you’re not sure whether you should be handling personal data, think about whether it falls into one of the following categories:
- Would the person expect me to use their information in this way (legitimate interests)?
- Have they given me their clear and unambiguous consent to use their personal information (consent)?
- Is the person’s health or safety at risk if I don’t use their personal data (vital interests)?
If the answer is yes to any of these questions, then you can handle and share personal data.
You should also take particular care if you’re handling sensitive data, referred to as ‘special category data’ in data protection law. This is private information like your health records, sexuality, race, ethnicity and religion. If you are going to use this kind of information, you should ask further questions:
- Do I need this information to protect a person at risk (safeguarding individuals)?
- Have they given me their explicit consent to use their private information (consent)?
- Would this information save someone’s life (vital interests)?
If the answers is yes to any of these questions, then you can also handle and share this type of information. Make sure you are doing only what is necessary and appropriate for the task at hand.
Keep it secure
You must look after the personal data you collect. That means keeping it secure on a device – which can be your own - or in a locked cabinet, for example.
Security measures needn’t be so onerous that they prevent you carrying out your work.
Think about the impact on a vulnerable person if the information they entrusted you with becomes lost or stolen. Then apply measures to reasonably reduce the risk of that happening.
We’ve created some simple security tips for community groups.
Keep it to a minimum
Only use and keep what you need to provide help to vulnerable people during the COVID-19 crisis. When the emergency is over, make sure you and your volunteers securely delete or destroy any personal information that you no longer need.
Keep a record of what you’ve done
Finally, you should keep a record of any decisions you make that involve the use of personal information. Ideally, you should do this first – even before you start collecting information. But we understand that might not be possible during the pandemic. So just make sure you keep notes of what you’ve done and why and then make more detailed records as soon as possible.
Latest News from
Information Commissioner's Office
Statement in response to media enquiries about the Data Protection Impact Assessment for the NHSX’s trial of contact tracing app11/05/2020 09:15:00
An ICO spokesperson said: “We are reviewing the Data Protection Impact Assessment for NHSX’s pilot of its contact tracing app in the Isle of Wight.”
Blog: Information Commissioner sets out new priorities for UK data protection during COVID-19 and beyond06/05/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 05 May 2020.
COVID-19 contact tracing: data protection expectations on app development05/05/2020 09:10:00
Information Commissioner Elizabeth Denham and Executive Director of Technology and Innovation Simon McDougall appeared before the Human Rights Joint Committee yesterday (4 May 2020).
Statement in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic27/04/2020 09:10:00
Statement given recently (24 April 2020) in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic.
Blog: Combatting COVID-19 through data: some considerations for privacy20/04/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 17 April 2020.
Blog: Video conferencing: what to watch out for17/04/2020 09:10:00
The COVID-19 crisis is changing the way we live our lives. Keeping our distance means many of us are working from home for the first time and adapting to new ways of doing our jobs.
How we will regulate during coronavirus16/04/2020 09:10:00
The ICO yesterday published a document setting out our regulatory approach during the coronavirus pandemic.
ICO statement on investigating coronavirus scams09/04/2020 09:10:00
ICO are supporting businesses eager to stay in touch with customers during the Covid-19 pandemic.
Winner of the ICO’s Practitioner Award for Excellence in Data Protection 2020 announced07/04/2020 12:25:00
Recognising the increasingly vital role played by data protection professionals, the third ICO Practitioner Award for Excellence in Data Protection is awarded to Barry Moult, Information Governance and Privacy Consultant, and former Head of Information Governance at an NHS Trust.