We understand that many of our clients may have concerns about the disruption and impact on business activity as a consequence of the current COVID-19 outbreak. In light of the changing circumstances, we have set out some key information law considerations and what it might mean for our housing clients, below.

Are there any legal changes to the GDPR or information law in light of coronavirus?

Not specifically. The Coronavirus Act does not amend information law in England and Wales. However, GDPR and other sources of information law are not obstacles to using information appropriately and sensibly in the context of COVID-19.

GDPR and the Data Protection Act 2018 specifically provide that using personal data for public health purposes as well as safeguarding, the provision of health and social care, and ‘social protection’ (including housing) is lawful. Where practical, all normal processes (including around information governance – for instance doing Data Protection Impact Assessments) should be followed.

Do we still have to deal with Subject Access Requests?

Yes, but you may want to be clear with applicants that it may take longer than you (or they) would like to respond to them. The ICO has said that whilst it cannot vary the statutory timescales for data protection compliance (e.g. in relation to answering subject access requests), it won’t penalise organisations that need to adapt their approach during this extraordinary period. You can find guidance on the ICO’s regulatory action policy in the coronavirus period here.

Can we send communications to tenants about changes in services, even if they haven’t opted in?

Yes - these are not marketing messages and all forms of technology (including phone, text, or email) can be used. Care should be taken to make sure that messages are necessary, sent at a sensible time of day, and that the identity of the sender is clear. Care should also be taken to use technology which is privacy protective (e.g. specialist mailing software) – a housing association has already had a data breach in trying to send communications to tenants with the wrong attachment. Unfortunately this included a large amount of sensitive information about other tenants.

What do we need to think about if we are moving to increased home working?

Data protection law is not a barrier to home-working, but information security considerations still apply. Organisations using more home working should:

1. Think about the technical security measures they have in place; for instance Two Factor Authentication, use of virtual networks, and any restrictions you may want to have on printing and downloading/saving files. The National Cyber Security Centre has useful guidance on extending Working from Home.  
2. Do some due diligence on any suppliers you wish to use, and making sure that appropriate agreements are in place with them.
3. Test your security measures, where opportunity allows;
4. Where possible, use corporate devices rather than allow staff to use personal email accounts or devices for work purposes. Where staff need to use their own private devices, organisations should have a Bring Your Own Device policy;
5. Take the opportunity to roll out extra training for staff on information security.

Can we tell tenants that a neighbour or staff member has coronavirus?

If it’s necessary to protect their health, then yes – this may be particularly relevant in sheltered housing or shared lives schemes. Ideally because such information is confidential, if it is possible to get the agreement of the infected person, that should be done. It may be possible to justify sharing information in the public interest/out of necessity without consent, although only the minimum necessary information should be shared. If it is not necessary to pass on names or other personal information, this should not be done. Organisations may want to consider (as part of contingency planning) some advance messaging to residents, which could include a heading along the lines of “Will we be told if someone living in our block has COVID-19?” to help manage expectations.

How can Capsticks help?

Our information law team are experts in all areas of information law, concerning tenants, employees and members of the public. We give practical advice on the full range of advisory, transactional, regulatory and litigated issues including effective information sharing between organisations, complex subject access requests, and responding to information security incidents and cyber-attacks.

If you have any queries around what is discussed in this insight, or for advice on information law issues, please speak to Andrew Latham or Serena Patel.