Data protection and Coronavirus: what you need to know by the ICO.

March 27, 2020

The Information Commissioners Office (ICO) have issued guidance to firms in response to the COVID 19 pandemic.

We have summarised the ICO’s response and highlighted important information which will be of benefit to members.

The ICO recognises the unprecedented challenges we are all facing during the Coronavirus (COVID-19) pandemic.

In this time of crisis, the ICO have confirmed that they will take a pragmatic view of firms’ responses to these challenges but have reiterated that data protection principles will still apply.  The ICO have acknowledged that they expect some service standards to suffer as a result of the impact of home working and other factors which make normal day to day business activities more challenging. The ICO do not intend to pursue regulatory action against firms as a result of firms not meeting their usual services standards. We would encourage member firms to take what reasonable and proportionate steps they can to ensure they continue to meet the data protection obligations.

We have summarised the frequently asked questions which specifically relate to commercial finance brokers from the ICO guidance. If you wish to access the full FAQ’s, a link can be found below.

During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?

No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.

We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.

More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

Can I tell my staff that a colleague may have potentially contracted COVID-19?

Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.

Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?

You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.

It’s reasonable to ask people to tell you if they have visited a particular country or are experiencing COVID-19 symptoms.

You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.

If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Can I share employees’ health information to authorities for public health purposes?

Yes. It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won’t stop you from doing so.

To summarise the ICO understands it is a difficult time for many people, and that working from home can bring practical challenges. The ICO are there to help with any data protection queries and can be called on 0303 123 1113.

Their website continues to be a valuable resource of information on topics like cyber security for remote working, data protection impact assessments and handling subject access requests.

Please review the ICO guidance here- and

Additionally if any of our members have any queries, please contact NACFB directly by email on