Some new clarification from the Information Commissioner’s Office yesterday about that grey area between individual privacy rights on the one hand and the public interest on the other. Against the background of the Coronavirus crisis (and perhaps recognising that any other position would be politically terminal), the ICO has made it clear that even though information about a person’s exposure to or infection by the virus is the most sensitive of sensitive personal data, disclosures of that information as necessary in the reasonable interests of wider public health will in broad terms go through on the nod. The ICO states itself in its press release to be “a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency”.
Of course, that does not mean that the overriding principle of data minimisation (having the least possible amount of personal data accessible to the smallest possible number of people for the shortest possible period of time) is not still out there and kicking. This is not a green light to tell anybody anything about an employee’s health without restriction. You should not tell people things they don’t need to know in order to protect themselves. For example, the identity of an affected employee might be relevant to his immediate colleagues, but will not be so to everyone in the wider business.
All that said, the reality must be that an employer faced with a choice between protecting the margins of one individual employee’s medical privacy on the one hand and under-informing the others with potentially fatal consequences on the other is only ever going to go one way. Therefore while the ICO’s new public stance is welcome, it is also probably inevitable. For more details, do take a look at this more comprehensive summary by our Data team [here].