By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.
COVID-19 has forced s a business to worry about customers paying, paying billings, and keeping employees.
What business might not be thinking about is fulfilling their data privacy obligations. One of the most challenging data privacy obligation is data subject rights, such as, data access requests (DAR).
Do they just say to heck with it, pack it up and see you on the other side? The answer to the latter question is – privacy laws still apply; they are not a barrier to appropriate and necessary information sharing.
During the COVID-19 pandemic, businesses may be unsure if their data privacy and data protection obligations are secondary. Many Data Protection Authorities including the U.S. Department of Health and Human Services have published guidance about processing personal information including sensitive personal health information.
GDPR Article 9 (2) (i) allows the processing of special categories of personal data if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
According to Andrea Jelinek, Chair of the European Data Protection Board (EDPB), “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
But, what to do about mandated obligations for responding to data access requests? The laws stipulate time frames to respond to DAR. However if needed an extension may be requested. The GDPR provides for an extension of two months to respond to a request where necessary considering the complexity and number of requests.
Ireland’s Data Protection Commission states, “While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed, we recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19. Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.”
The United Kingdom’s Information Commissioner’s Office (ICO) stated, they “recognise the unprecedented challenges we are all facing during the Coronavirus (COVID-19) pandemic.” ICO’s response to a concern and question posed by a business, “… we are worried that our data protection practices might not meet our usual standards or our response to information rights requests will be longer. Will the ICO take regulatory action against us?”
“No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
The California Consumer Protection Act (CCPA) under §1798.130 allows a one-time 45-day extension for the right to know and delete “when reasonably necessary” as long as the individual is notified of the extension within the first 45-days of receipt of the request.
As best practices go, continue to adhere to all privacy laws including data access requests. However, If an extension is needed or you are unable to respond to the DAR then
Taking these actions will show the requester you care about them and their data. And that is what privacy laws are about treating information like an actual person.