Data Protection and Covid-19

We have summarised the key points as follows:

1. Lawfulness

• It is permissible to process personal data if you are acting on behalf of public health, or other relevant authorities, as long as suitable safeguards are in place, e.g. restriction of access, time-limits etc.  
• If it is necessary to process personal data, to protect the vital interest of an individual, it is permissible to process health care data, but in a confidential manner, e.g. communications about potential cases should not identity employees.       

2. Transparency

• Where personal data is being processed, as is always the case, this must be done in a transparent way, outlining the reason and stating how long it will be retained.

3. Confidentiality

• Even when data is being processed to prevent the spread of Covid-19, the same requirements apply to the security of data and it should be ensured that the identity of individuals is not disclosed inappropriately.

4. Data Minimisation

• Only the minimum data necessary should be processed, per the standard guidance, when implementing steps to prevent the spread of Covid-19.

5. Accountability

• Finally, when implementing actions to manage Covid-19 please ensure that you document your decision-making process around processing of personal data.

To read the full text of the DPC guidance please visit: https://www.dataprotection.ie/

BDO Risk & Advisory’s specialist data privacy and protection team can advise your organisation about the processing of information in respect of COVID-19. To find out more about what the team can do for your business, visit:

• BDO IT Internal Audit
• BDO Cybersecurity